Lenovo, a leading computer maker in China, has been fined $3.5 million by the Federal Trade Commission (FTC) and 32 states for allegedly pre-installing malicious Superfish adware to its laptops shipped between August 2014 to February 2015.
This is not the first time we are covering alleged misconduct by the Chinese computer maker, back in 2014 we featured an article about how China was conducting espionage in the Caribbean under the guise of aid. More information on that can be found at this link and this link.
Lenovo has since suffered from a consumer backlash, and the U.S. Department of Homeland Security outrightly came out to advise users to delete the pre-installed software from their Lenovo-branded computers. However, this fine by the FTC is the first concrete repercussion Lenovo has suffered over the alleged installation of malicious software on its computers.
In the agreed settlement, Lenovo is to pay the $3.5 million penalty and is required to conduct a comprehensive security program for all consumer software it pre-installs on its computers over the next 20 years. The security program will also be subject to audit by an independent party. Additionally, Lenovo is required to get the explicit permission from the user(s) before it pre-installs software such as the one mentioned above.
This Security Breach breaks HTTPS connections
The security expert and researcher who made the discovery of security breach by pre-installed software on Lenovo computer is very concerned that the program even breaks the HTTPS connections. Thereby exposing users to potentially harmful websites and attacks by hackers. That could happen even if the users are visiting sites that otherwise would be secure.
The FTC gives users some level of comfort by assuring them that although the adware stole their data, it does not appear like any of that information was relayed to the Superfish.
Lenovo disagrees with the FTC ruling
In a response statement to the FTC ruling, Lenovo states that it “disagrees with allegations contained in these complaints,” but they are glad the matter has come to a conclusion after 2-1/2 years. Lenovo insists that there has never been a reported incident of a user whose information had actually been taken advantage of without their knowledge.
The company further says it has beefed up security and deliberated began limiting the amount of bloatware that came preloaded with its PCs.