Lenovo settles over Superfish adware, will pay $3.5 million

The adware created security holes in Lenovo laptops, leaving users potentially vulnerable to attacks.

Ben Fox Rubin Former senior reporter
Ben Fox Rubin was a senior reporter for CNET News in Manhattan, reporting on Amazon, e-commerce and mobile payments. He previously worked as a reporter for The Wall Street Journal and got his start at newspapers in New York, Connecticut and Massachusetts.
Ben Fox Rubin
2 min read

The Lenovo Yoga 910, which was released in 2016.

Sarah Tew/CNET

Lenovo reached a settlement Tuesday with the US Federal Trade Commission, ending two-and-a-half-year dispute over the Chinese company preinstalling problematic advertising software in hundreds of thousands of its laptops.

Thirty-two state attorneys general joined the FTC settlement, with the states getting a $3.5 million settlement from Lenovo.

The FTC accused Lenovo, one of the world's largest PC makers, of preinstalling ad software called VisualDiscovery from the company Superfish on some of its laptops in the US between late 2014 and early 2015. VisualDiscovery tracks your web searches and browsing activity to place additional ads on the sites you visit. The FTC said VisualDiscovery also interfered with how a user's browser interacted with websites, leaving customers open to serious security vulnerabilities. Lenovo said it's not aware of any instance in which a third party exploited this vulnerability to access a user's communications.

VisualDiscovery was able to access all a consumer's personal information sent online, including login credentials, Social Security numbers, medical information, and financial and payment information, the FTC said. However, the software collected more limited information, such as a user's browsing history and IP address, to serve ads. In early 2015, Lenovo said it stopped preloading VisualDiscovery and worked with antivirus software providers to disable and remove this software from existing PCs. 

"While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close," the company said in a statement Tuesday.

As part of the FTC settlement, Lenovo agreed to a series of restrictions and guidelines. The company must get consumers' consent before preinstalling certain kinds of advertising software. Also, for the next 20 years, the company will have to run a software security program for most consumer software preloaded on its laptops.

After this incident, Lenovo said it already introduced a policy to limit the amount of preinstalled software it loads on its PCs, and created security and privacy review processes -- actions it said are consistent with the settlement.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

CNET en Español: Get all your tech news and reviews in Spanish.