Lenovo will have to pay for the Superfish scandal after all. This morning, a coalition of 32 state attorneys general announced a $3.5 million settlement with the PC maker over the controversial adware program.
Installed in Lenovo laptops between September 2014 and January 2015, Superfish inserted pop-up advertisements into regular websites, using root-level certificate powers to insert ads even on encrypted websites. The result was a dangerous circumvention of web encryption, which was ultimately compromised by third-party hackers to bypass HTTPS on affected machines.
“No consumer should have to worry that a software glitch will make them vulnerable to hackers,” New York Attorney General Eric Schneiderman said in a statement. “This settlement will reform Lenovo’s policies and procedures to prevent this breakdown from occurring in the future.”
The state-level settlement comes just one day after a broader settlement with the Federal Trade Commission, which committed Lenovo to giving users clear notice and requiring consent for any preinstalled software in the future. Additionally, Lenovo committed to regularly scheduled security audits of its preinstalled software. Because the FTC considered the installation an initial violation, there were no monetary damages attached to the federal settlement.
Today’s settlement is still awaiting approval from the courts of each participating state. Once approved, the settlement’s $3.5 million haul will be distributed among each participating state proportionately. New York state is expected to receive $154,544 from the legal action.