Attorney General Josh Shapiro holds tech company accountable for exposing consumers’ personal financial data

September 5, 2017 | Topic: Consumers

HARRISBURG — Attorney General Josh Shapiro today announced the Office of Attorney General has agreed to a settlement with a technology company over allegations the firm installed software on computers sold to Pennsylvania consumers that exposed their personal information and made it vulnerable to online hackers.

The settlement with Lenovo Inc. was negotiated in coordination with the Federal Trade Commission and 31 other state Attorneys General. Lenovo has agreed to a number of corrective actions to ensure consumers’ private financial information is better protected on their computers in the future.

“Lenovo failed to warn consumers the software it installed on their computers made them vulnerable to cyber-attacks,” Attorney General Josh Shapiro said. “Pennsylvania consumers’ personal information and privacy rights should not be  compromised by any company, and we’ll fight to protect them.”

In 2014, Lenovo began selling laptop computers that contained ad software – adware – called Superfish VisualDiscovery. The software delivered pop-up ads for retail products. If a user was shopping at an online retailer for a specific product, VisualDiscovery would insert ads into the browser for products sold by related retail partners. VisualDiscovery displayed a one-time pop-up window the first time consumers visited a shopping website. Unless consumers affirmatively opted out, VisualDiscovery would be enabled on their computers.

The software caused both the user and the browser to incorrectly believe they had established an encrypted connection. To create the illusion of an encrypted connection, VisualDiscovery falsified self-signed digital certificates without consumers’ knowledge.

Visual Discovery’s software created a security vulnerability that made consumers’ information susceptible to hackers. Lenovo’s failure to disclose the presence of VisualDiscovery on its computers, its failure to warn consumers that the software created a security vulnerability and its inadequate opt-out procedure violated state consumer protection laws.

A total of 31 states including Pennsylvania participated in the multistate settlement, which will distribute $3.5 million nationwide. Of that total, $252,569 will be deposited into Pennsylvania’s General Fund.

The settlement also requires Lenovo to:

Change its consumer disclosures about pre-installed advertising software
Require a consumer’s affirmative consent to using the software on their device
Provide a reasonable, effective means for consumers to opt-out or remove the software.
Obtain assessments for the next 20 years from an independent, third-party professional that certifies the effectiveness of Lenovo’s security compliance program.
If consumers believe their computers were infected by the Superfish VisualDiscovery software, they can use this link to remove the adware from their computer: https://pcsupport.lenovo.com/us/en/product_security/superfish_uninstall

“When Pennsylvanians buy a computer, they have a right to expect their personal data will not be compromised or exposed to others without their permission,”Attorney General Shapiro said.

To read the settlement, click here: Stipulated Consent and Complaint.

# # #