The affected Lenovo laptops ran a preinstalled software program called VisualDiscovery, which acted as a "man in the middle" between consumers' browsers and the websites they visited. The software was incredibly vulnerable from a security perspective, as it allowed hackers to collect social security numbers, medical information or logins, passwords with relative ease, the FTC said.
VisualDiscovery, which was developed by a company called SuperFish, delivered for products sold by Superfish's retail partners whenever a user's cursor hovered over an image of a similar product on a shopping website. Someone who scrolled over a Playstation 4 on Amazon, for example, would see ads on the same webpage for places they could purchase a Playstation 4 from SuperFish's retail partners. Such practices are often labeled as "adware," an ad-specific adaptation of "malware."
Lenovo eventually issued a "high severity" update to its users, asking them to uninstall its own software. Superfish programs were also found to run on certain Dell laptops as well.
The electronics manufacturer will not pay a fine, but is prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into a consumer's browser. The company also cannot transmit sensitive user information to third parties and must get "affirmative consent" before reinstalling ad-related software, the FTC said in its complaint, adding that Lenovo must implement a comprehensive software security program for software it preloads on its laptops.
"While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after two-and-a-half years," Lenovo said in a statement Tuesday. "To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user's communications."
"Subsequent to this incident, Lenovo introduced both a policy to limit the amount of pre-installed software it loads on its PCs, and comprehensive security and privacy review processes, actions which are largely consistent with the actions we agreed to take in the settlements announced today," the company added.