However, experts found that the software also opened up users to cyber attacks and hacking attempts because of serious security vulnerabilities. Findings showed that the program could access all of a user’s private information, even if it was encrypted, and routinely inserted itself into the security certification process, which essentially gave consumers no warning if they visited a spoofed or malicious website.
Today, Lenovo agreed to settle charges from the Federal Trade Commission (FTC) and 32 State Attorney’s General over these compromised security protections, and is prohibited from misrepresenting features of pre-loaded software on its devices.
The company also agreed to get affirmative consent from consumers before pre-installing such software again and will be required to implement a comprehensive software security program that is subject to third-party audits for 20 years.
“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” said Acting FTC Chairman Maureen K. Ohlhausen. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”
Ohlhausen added that the FTC had no authority to levy civil penalties against Lenovo because it is the company’s first violation of the FTC Act. However, she said that the company may still face some financial setback because of the lengthy nature of the security program it must implement.
-----
Update: 9/6/17
In an announcement made earlier today by 32 State Attorneys General, Lenovo will pay a $3.5 million settlement in connection to its Superfish adware. The settlement stlll needs to be approved by state courts, but after clearing that hurdle the money will be split proportionately among participating states.