Skip to main content

Attorney General Announces $3.5M Multi-State Settlement with Lenovo over Hacker-Vulnerable Software

New Jersey

Attorney General Christopher S. Porrino announced today that New Jersey has joined with 31 other states in an overall, $3.5 million settlement with Lenovo Inc. that resolves allegations the technology company violated state consumer protection laws by pre-installing software in laptop computers that made users’ personal information vulnerable to hackers.

“This is an important settlement for New Jersey consumers because it sets down a variety of conditions designed to ensure that, going forward, Lenovo will better protect the personal identifying information of consumers, be more transparent about what software is pre-installed on the products it sells, and provide consumers clearer and more accessible ways to opt out of having such software activated – or present on the machine at all,” said Attorney General Porrino.

In August 2014, North Carolina-based Lenovo began selling certain laptop computers that contained pre-installed ad software called VisualDiscovery, which was created by the company Superfish, Inc.

VisualDiscovery purportedly operated as a shopping assistant by delivering pop-up ads to consumers of similar looking products sold by Superfish retail partners whenever a customer's mouse hovered over the image of a product on a shopping Web site.

The states alleged that VisualDiscovery displayed a one-time pop-up window when consumers visited a shopping web site for the first time. Unless consumers affirmatively opted out, VisualDiscovery would then be enabled on their computers.

According to the states, VisualDiscovery operated by acting as a local proxy, or "man in the middle," that stood between the consumer's browser and all Internet web sites that the user visited, including encrypted sites.

This technique allowed the software to see all of a user's sensitive personal information that was transmitted on the Internet. Consumer information-- including sensitive communications with encrypted Web sites-- would be collected and transmitted to Superfish.

The states alleged that Visual Discovery created a security vulnerability that made consumers' information susceptible to hackers in certain situations. The states also alleged that Lenovo's failure to disclose the presence of VisualDiscovery on its computers, its failure to warn consumers that the software created a security vulnerability and its inadequate opt-out procedure violated state consumer protection laws.

Lenovo stopped shipping laptops with VisualDiscovery pre-installed in February 2015, though the states contend that some laptops with the software were still being sold by various retail outlets as late as June 2015.

New Jersey will receive approximately $97,000 from the Lenovo settlement funds. In addition to monetary payment, the settlement requires Lenovo to change its consumer disclosures about pre-installed advertising software, require a consumer's affirmative consent to using the software on their device, and provide a reasonable and effective means for consumers to opt-out, disable or remove the software.

Lenovo is also required to implement and maintain a software security compliance program, and must obtain initial and biennial assessments of that program for the next 20 years from a qualified, independent, third-party professional.

The settlement is not final unless and until it is approved by the court.

794