Lenovo to pay $3.5M in lawsuit involving 750,000 vulnerable laptops
MANILA, Philippines – US authorities imposed penalties on Chinese tech brand Lenovo for releasing and selling laptops that were vulnerable to hacking, according to a press release by the US Federal Trade Commission (FTC).
"Lenovo compromised consumers' privacy when it preloaded software that could access consumers' sensitive information without adequate notice or consent to its use," said Acting FTC Chairman Maureen Ohlhausen.
"This conduct is even more serious because the software compromised online security protections that consumers rely on," she added.
The estimated 750,000 laptops sold – released from August 2014 to January 2015 –came pre-installed with an adware called VisualDiscovery that had a huge security flaw. Hackers were able to forge the software's certificate, and in turn, were able to access encrypted communications on HTTPS. (READ: Lenovo pre-installs Superfish adware into its new computers)
HTTPS is the internet protocol facilitating the communications between one's computer and a website. It is the encrypted, more secure form of the older HTTP standard. The VisualDiscovery software essentially gave hackers a way to bypass HTTPS protection, leaving users vulnerable.
Several months after the affected laptops' release, the bug was discovered and named Superfish, the company behind the flawed software.
Charges and penalties
The discovery prompted the FTC to pursue a case against Lenovo, which the brand settled on Tuesday, September 5, US time.
The FTC punished Lenovo by prohibiting the company from installing adware without the user's "affirmative consent." The US agency also required Lenovo to implement a comprehensive security program for preloaded software, and on top of that will be subject to third-party audits for the next 20 years.
In addition, Lenovo will be paying a total of $3.5 million to 32 US states, in settlements pursued by state attorney generals.
For those who might have bought US versions of Lenovo laptops in 2014 and 2015, science and tech publication Inverse showed a list of potential models with Superfish: E-Series, Edge Series, Flex-Series, G-Series, Miix Series, S-Series,U-Series, Y-Series, Yoga Series, and Z-Series.
You may also check this LastPass page to check if your computer is safe. – Rappler.com