The company faced a collective claim where it was affirmed that the privacity of the users were compromised.
Lenovo, considerada como una empresa de tecnología y manufactura de equipos de cómputo confiables, acaparó la atención de la comunidad de la ciberseguridad en 2015, gracias a que especialistas en forense digital dieron a conocer que 750 mil computadoras portátiles fabricadas por la empresa tenían preinstalado en su sistema un adware llamado VisualDiscovery, desarrollado por la compañía Superfish.
The digital forensic experts from the national cybernetic security institute said that this adware had the objective of helping to compromise the online security meassures of the machines where it was installed, allowing access to the user’s financial information and executing a variation of the attack known as Man-in-the-Middle in private conection, and thanks to that, an attacker could have gained access to the machine’s system to spy the coded communications of the user.
The EE.UU. District Tribunal in the North California district gave the initial approval of the agreement the 21th September, four months later of Lenovo and the customers presented to the tribunal to end the action aganinst the spy software installed in the laptops.
After the collective claim, Lenovo made an agreement by paying 7,3 millions of dollars to the clients that found the adware installed in their devices, which risked their privacity.
During the time until this resolution became public, Lenovo denied the accusations made by the collective claim, and afirmed that they didn’t know of any third party that was exploiting their apps. Besides, the company affirms that since 2015 they had stoppedlling the software of superfish with their computers.
“Lenovo has never agreed with the accusations of this collective claim, but with this the company is happy that at last, we can close this case that have been for 2 years of legal processes. Until this day Lenovo hasn’t knowledge of any case of third parties being able to exploit a vulnerability to obtain access to the user’s communications” said a statement of the company.
Back in 2015, Robert Graham, a digital forensic expert, analyzed the software Superfish. Relating his later findings:
“The Superfish software can be considered malicious in a lot of ways. It is designed to inetrcept any kind of coded conection. However, they do this in a very deficient way, leaving the system exposed to hackers or intelligence agencies very similar to the NSA, that could spy our private bank operations”, affirmed Graham.
In 2017, Lenovo agreed with the Federal Trade comission, Connecticut and other 31 states to pay 3,5 millions of dollars due a similar issues. The company also promised to change the way of trading and selling their devices. Besides, in an aditional agreement, the company paid 3,5 added millions to the state authorities.