Lenovo has issued apologies, is offering free security software monitoring, and says it will produce bloatware-free PCs in the future. But if the world’s top PC maker thought the Superfish adware debacle was over, it’s not. The lawyers and attorney generals are coming.

On Monday, Reuters reported that North Carolina Attorney General Roy Cooper’s office is concerned and “monitoring the situation.”

But the worst news comes from Connecticut where that state’s AG George Jepsen announced he had launched an investigation.

“These alarming revelations raise concerns that Lenovo may have seriously undermined computer users’ online security and privacy,” Jepsen wrote Lenovo.

“Significant Security Vulnerability”

In a two-page letter, Jepsen called for Lenovo to respond to 11 questions seeking internal and external information about the Superfish software, which was pre-installed on more than 40 Lenovo laptops between September of last year and late January. Lenovo insists the software was only installed on PCs sold to consumers.

“It’s extremely concerning that, based on published reports, Lenovo installed this software – which appears to have no meaningful benefit to the consumer – on devices without the purchaser’s knowledge,” Jepsen said in announcing the inquiry.

WTW Coverage of Adware Issue:

  • Lenovo offers free security software service
  • Feds warn Lenovo laptop owners to ditch software
  • Is Lenovo spying on you?
  • Here’s how to remove adware
  • Lenovo hacked; attackers claim adware as reason
  • Lenovo won’t discuss damage hackers did

“It is bad enough that the company sold consumers computers pre-loaded with software designed to track their browsing without alerting them. Even more alarming is that the software reportedly has a significant security vulnerability, putting computer users at risk of hacking. After consultation with technical experts, I have opened an investigation and asked both Lenovo and Superfish to provide information in order for me to determine if they have violated Connecticut’s laws prohibiting unfair and deceptive trade practices.”

Jpsen also cited the Department of Homeland Security’s warning about the risks posed by the software.

Meanwhile, class action suits could happen as well on behalf of consumers who were exposed to cyber attack by vulnerabilities linked to software used in the creation of Superfish.

Lenovo and Superfish told Reuters they will cooperate with the probes. But that’s expected. Can you imagine the outcry if Lenovo clammed up on what may be the biggest gaffe the normally wise and well-run company’s history?

The Letter

Here is the letter in full from Jepsen as addressed to Gerry Smith, Lenovo’s executive vice president, in Morrisville where Lenovo maintains its global executive headquarters.

RE: Superfish software

Dear Mr. Smith:

I write concerning the recent reports that Lenovo sold certain models of personal computers pre-installed with a software program – Superfish Visual Discovery – that tracks users’ web searching and browsing activity in order to place additional ads on the sites they visit. These alarming revelations raise concerns that Lenovo may have seriously undermined computer users’ online security and privacy.

Technical experts quoted in news accounts indicate that the Superfish software potentially facilitates the ability of hackers to access users’ computers. Reports also indicate that the software resides in the lowest level of the computers’ operating system making it difficult to detect or remove by common antivirus products and techniques.

It also appears that Lenovo failed to apprise purchasers of computers that they had sold them computers pre-loaded with Superfish. Indeed, Lenovo’s chief technology officer, Peter Hortensius, is quoted as acknowledging that the company “messed up badly.”

In order for us to determine if Lenovo’s conduct constituted violations of Connecticut law that prohibits unfair or deceptive trade practices, we ask that you provide the following information:

1. Please identify the number of Lenovo personal computers containing the Superfish software sold in the United States;

2. Please identify the dates on which Lenovo personal computers containing the Superfish software were sold;

3. Please identify the number of Connecticut residents who registered computers which had or may have had Superfish software installed;

4. Please identify any other information about the number of computers with Superfish software sold or shipped to Connecticut residents;

5. Please identify all agreements and/or contracts between Lenovo and Superfish pertaining to the software;

6. Please identify all communications between Lenovo and Superfish pertaining to the software;

7. Please identify all internal communications pertaining to the Superfish software;

8. Please identify all information you received from the party with whom you arranged to start using Superfish software about how it worked and what it did;

9. Please identify and describe all independent testing and investigation you performed or had performed regarding how Superfish software worked and what it did;

10. Please identify all financial arrangements between you and the entity with whom you agreed to use Superfish software; and

11. Please describe what remedial measures Lenovo has taken or intends to take subsequent to its decision to cease selling personal computers with the Superfish software.

Along with the responses, please provide us with copies of any documents identified in your responses and any other documents that support the responses. We ask that you provide the requested data within twenty (20) days of the date of this letter.