In 2015, Beijing based laptop manufacturer and seemingly reliable technology company Lenovo made headlines that its 750,000 laptops had pre-installed adware called VisualDiscovery developed by Superfish.
The adware played a vital role in compromising online security protections installed by the users on their laptops, accessed financial data and performed man-in-the-middle attack on private and secure connections due to which attackers could gain free access to the system and spied on encrypted communications.
The U.S. District Court for the Northern District of California granted initial approval of the settlement Nov. 21, four months after Lenovo and the consumer class filed with the court to end the spyware action.
However, now, in a class action lawsuit [PDF], Lenovo has settled a deal to pay $7.3 million to customers who found the pre-installed adware on their devices putting their privacy at risk. The approval according to Bloomberg law, was granted [PDF] by the U.S. District Court for the Northern District of California on November 21st.
Lenovo on the other hand back in 2015 maintained the stance that it doesn’t agree with the allegations and that it was unaware of the exploitation of the app by third parties. Furthermore, the company claimed that it had already stopped selling the software in 2015.
“While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years. To date, we are not aware of any actual instances of a third-party exploiting the vulnerabilities to gain access to a user’s communications,” read Lenovo’s (now deleted) official statement.
In 2015, a cybersecurity expert Robert Graham analyzed the SuperFish software and wrote in his blog post that:
The SuperFish software is particularly bad. It’s designed to intercept all encrypted connections. It does this in a poor way that it leaves the system open to hackers or NSA-style spies. For example, it can spy on your private bank connections, as shown in this picture.
It is noteworthy that in 2017, Lenovo agreed to pay $3.5 million by signing an agreement with the Federal Trade Commission, Connecticut, and 31 other states. The company had pledged to change the way it sells devices too. Moreover, in a separate agreement, the company paid an additional 3.5 million to state authorities.