(CN) – Lenovo, one of the world’s largest computer manufacturers, agreed on Tuesday to pay $3.5 million to settle charges it sold laptops with pre-loaded software that compromised users’ security protections.
The agreement with the Federal Trade Commission and 32 states also requires the company to make changes in how it sells laptops.
The software, called VisualDiscovery, was installed on hundreds of thousands of laptops beginning in August 2014 in order to deliver pop-up advertisements. The software also blocked browsers from warning users when they tried to access malicious websites.
But the software was also able to access consumers’ personal data, like Social Security numbers, login credentials and financial information, the FTC said.
The program was installed on “hundreds of thousands computers” the FTC said and on top of sharing personal information, the program also produced pop-ups from its retail partners whenever a user hovers their mouse over a similar looking product on a website.
“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” said acting FTC chairman Maureen Ohlhausen in a written statement. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”
In its original complaint, the FTC alleged that VisualDiscovery pulled off the pop-up invasion by using an “insecure method” to replace digital certificates for websites.
“Digital certificates are used to signal to a user’s browser that the encrypted websites visited by a consumer are authentic and not imposters. VisualDiscovery, however, did not adequately verify that the websites’ digital certificates were valid before replacing them, and used the same, easy-to-crack password on all affected laptops rather than using unique passwords for each laptop,” the announcement said.
The vulnerabilities also made it impossible to warn users if they were visiting potentially malicious sites with invalid certificates, opening up their information for hackers to spy on. All a hacker need do, the FTC explained, was simply crack the pre-installed password.
Lenovo responded by saying it wasn’t aware of the security gaps because it failed to assess the security risks created by third party software it installed on its laptops.
As a part of the settlement, Lenovo must now obtain consumers’ consent before pre-installing this type of software on its products. Additionally, for the next 20 years, Lenovo will be forced to implement a “comprehensive security program for most consumer software preloaded on its laptops.”
Third party audits will also be mandatory now, the FTC said. The commission agreed to accept the agreement 2-0. The agreement, which is published in the Federal Register, will be open to public comment through October 5. After that time, the commission will issue a decision on whether or not to finalize the order.
In a statement posted on its website on Tuesday, Lenovo said that it was “pleased to bring this matter to a close after two-and-a-half years” but still “disagrees with the allegations contained in these complaints.”
“After learning of the issues, in early 2015, Lenovo stopped preloading VisualDiscovery and worked with antivirus software providers to disable and remove this software from existing PCs,” the statement said, adding a link to instructions for removal of the adware. “To date, we are not aware of any actual instances of a third party exploiting the vulnerability to gain access to a user’s communications. Subsequent to this incident, Lenovo introduced both a policy to limit the amount of pre-installed software it loads on its PCs and comprehensive security and privacy review processes, actions which are largely consistent with the actions we agreed to take in the settlements announced today.”