Lenovo CTO Finally Apologizes for PC Security Fiasco
Lenovo Chief Technology Officer Peter Hortensius yesterday apologized for the SuperfIsh spyware installed on several of its PC models, saying it shouldn't have happened and said the company is putting together a plan to ensure it never happens again.
"All I can say is we made a mistake and we apologize," Hortensius said in an interview with The New York Times. "That's not nearly enough. So our plan is to release, by the end of the week, the beginning of our plan to rebuild that trust. We are not confused as to the depth of that this has caused people not to trust us. We will do our best to make it right. In the process, we will come out stronger. But we have a long way to go to make this right."
Hortensius said so far Lenovo has not seen any evidence that the malicious software that was embedded deep within the company's systems put any customers or their data at risk. "We are not aware of this actually being used in a malevolent way," he told The Times' Nicole Perlroth. Asked if it's possible that Lenovo engineers installed this on any other models than the two already reported (the Yoga 2 models and Edge 15), Hortensius said he didn't believe so but the company is investigating and will have an answer by the end of the week.
Nevertheless, some of his responses were troubling. Why did it take more than a month for Lenovo to get to the bottom of this once it was reported to the company? "At that time, we were responding to this issue from a Web compatibility perspective, not a security perspective," he said. "You can argue whether that was right or wrong, but that's how it was looked at it." Hortensius also wasn't able to answer Perlroth's question regarding how the opt-in processes work.
He was also unable to explain how the company was unaware that Superfish was hijacking the certificates. "We did not do a thorough enough job understanding how Superfish would find and provide their info," he said. "That's on us. That's a mistake that we made."
Indeed mistakes were made. Some might credit him for saying as much and apologizing. But based on the comments from my report on the issue earlier this week, it may be too little, too late.
"I didn't trust Lenovo even before this issue," said one commenter who goes by the name "gisabun." "Expect to see sales drop a bit [even if the corporate sales are generally unaffected]. Microsoft needs to push all OEMs to remove unnecessary software."
"Bruce79" commented: "Inserting a piece of software that opens unsuspecting users up to security attacks? That is a clear betrayal, regardless of price."
Kevin Parks said, "We need a class-action lawsuit to sue them into oblivion. That would tell vendors that we won't accept this kind of behavior."
Another had a less extreme recommendation: "What Lenovo could and should do is simple. Promise to never put third-party software on their machines for [X number] of years. After X number of years, no software will be preloaded; Lenovo will ask if you want the software downloaded and installed."
Was Lenovo CTO's apology a sincere mea culpa or was he just going into damage-control mode? Do you accept his apology?
Posted by Jeffrey Schwartz on 02/25/2015 at 9:36 AM