Connecticut Leads Settlement Lenovo Installation of Hacker vulnerable Software on Computers

Press Releases

Joint Release of the Attorney General and Department of Consumer Protection Header

09/05/2017

Connecticut Leads $3.5M Multistate Settlement with Lenovo over Installation of Hacker-vulnerable Software on Laptop Computers

Connecticut has joined with 31 other states in a settlement with technology company Lenovo (United States) Inc. to resolve allegations that the company violated state consumer protection laws by pre-installing faulty software on laptop computers sold to Connecticut consumers that made consumers' personal information vulnerable to hackers, Attorney General George Jepsen and state Department of Consumer Protection (DCP) Commissioner Michelle H. Seagull said today.

In August 2014, North Carolina-based Lenovo began selling certain laptop computers that contained pre-installed ad software called VisualDiscovery, which was created by the company Superfish, Inc. VisualDiscovery purportedly operated as a shopping assistant by delivering pop-up ads to consumers of similar looking products sold by Superfish retail partners whenever a customer's mouse hovered over the image of a product on a shopping Web site. Unless consumers affirmatively opted out, VisualDiscovery would be enabled on their computers.

The states alleged that VisualDiscovery was faulty in that it risked exposing consumers' personal information to hackers. The program operated by acting as a local proxy, or "man in the middle," that stood between the consumer's browser and all Internet Web sites that the user visited, including encrypted sites. This technique allowed the software to see all of a user's sensitive personal information that was transmitted on the Internet. Consumer information, including sensitive communications with encrypted Web sites, would be collected and transmitted to Superfish, the states allege.

The states alleged that Visual Discovery created a security vulnerability that made consumers' information susceptible to hackers in certain situations. The states allege that Lenovo's failure to adequately ensure the security of VisualDiscovery, to disclose the program's presence on its computers, to warn consumers that the software created a security vulnerability and provide adequate opt-out procedure violated state consumer protection laws.

Lenovo stopped shipping laptops with VisualDiscovery preinstalled in February 2015, though the states allege that some laptops with the software were still being sold by various retail outlets as late as June 2015.

"Consumers have a reasonable expectation that their personal information will be protected when they purchase a new personal computer," said Attorney General Jepsen. "In this case, Lenovo instead built software into devices that compromised consumer privacy and failed to make adequate disclosures to consumers that their personal information was being collected and transmitted to a third party. We appreciate Lenovo's cooperation in bringing this matter to an appropriate resolution."

"It's incredibly important that businesses provide appropriate disclosures to consumers purchasing their products," said Commissioner Seagull. "Consumers should expect to have all the tools they need to protect their personal information, and to opt out of any services that may compromise their information. We want to thank Lenovo and all states involved in this resolution for their cooperation."

Connecticut led the investigation together with California, Illinois and Pennsylvania. The settlement was negotiated and finalized in coordination with the Federal Trade Commission. Connecticut will receive $286,145 from the settlement funds, which will be deposited into the state's General Fund.

In addition to the monetary payment, the settlement requires Lenovo to change its consumer disclosures about pre-installed advertising software, to require a consumer's affirmative consent to using the software on their device and to provide a reasonable and effective means for consumers to opt-out, disable or remove the software.

Lenovo is also required to implement and maintain a software security compliance program and must obtain initial and biennial assessments for the next 20 years from a qualified, independent, third-party professional that certifies the effectiveness and compliance with the security compliance program.

The settlement is not final unless and until it is approved by the court.

Assistant Attorneys General Jonathan Blake and Matthew Fitzsimmons, head of the Privacy and Data Security Department, assisted the Attorney General with this matter.