Lenovo Gets Off Easy With $3.5 Million Fine For Preinstalling Superfish Adware

Lenovo had its name drug through the mud back in 2015, and its problems were no doubt self-inflicted. The company was caught preinstalling Superfish adware on hundreds of thousands of its computers that were sold to customers, which was part of an effort to line its pockets with an additional revenue stream.

However, it was soon discovered that Superfish also opened customers up to attacks from hackers and exposed their private information. Today, the Federal Trade Commission (FTC) has concluded its investigation into the company, and has essentially handed it a slap on the wrist.

Lenovo Yoga

Superfish’s crown jewel was its VisualDiscovery software, which acted as a man-in-the-middle, siphoning data between a user’s web browser and the internet content that they interacted with on a daily basis (without user consent). What made VisualDiscovery especially heinous is the breadth of personal information that it was able to monitor as a result.

VisualDiscovery was allowed to “access all of a consumer’s sensitive personal information transmitted over the Internet, including login credentials, Social Security numbers, medical information, and financial and payment information,” according to the FTC. “While VisualDiscovery collected and transmitted to Superfish’s servers more limited information, such as the websites the user browsed and the consumer’s IP address, Superfish had the ability to collect more information.”

Making matters even worse was the fact that VisualDiscovery used self-signed certificates, making them ripe for exploitation by malicious hackers. While Lenovo was quick to apologize and even offer an automated tool to remove the software, the damage to customers (and Lenovo’s reputation) had already been done.

When it comes to the FTC sanctions, Lenovo got off easy. The Commission wrote:

As part of the settlement with the FTC, Lenovo is prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers’ Internet browsing sessions or transmit sensitive consumer information to third parties. The company must also get consumers’ affirmative consent before pre-installing this type of software. In addition, the company is required for 20 years to implement a comprehensive software security program for most consumer software preloaded on its laptops. The security program will also be subject to third-party audits.

As for the 31 states that sued the company over its actions, the result there was also relatively painless (for a company of Lenovo’s size). It reached a settlement in which it will pay just $3.5 million in total to “resolve allegations the technology company violated state consumer protection laws”.

“Regardless of the device we’re talking about,” said New Jersey Attorney General Christopher S. Porrino. “Companies who make consumer technology such as personal computers and laptops have a duty not to compromise the personal information of consumers and have a duty to disclose the presence of any software that’s been pre-installed on the device.”