With its third data security-related settlement in as many weeks, the Federal Trade Commission laid blame Tuesday on a “man in the middle”—a software program, designed to interfere with how browsers interact with websites, that left sensitive consumer information vulnerable.

The FTC joined with 32 state attorneys general—including California, New Jersey, Pennsylvania, New York and Connecticut—in faulting Lenovo Inc., a leading computer manufacturer, for pre-installing such software on laptops beginning in August 2014. According to the FTC settlement, the pre-installed program—called “VisualDiscovery”—was developed by the California-based company Superfish Inc. to deliver pop-up ads for retail partners' products whenever a consumer cursor hovered over a similar-looking product.

To make those pop-up ads possible, VisualDiscovery meddled in the interaction between browsers and websites, the FTC said. This “man-in-the-middle” role, as the FTC characterized it, allowed the software to access all of the sensitive data consumers transmitted over the internet, including financial information, log-in credentials and Social Security numbers.

Lenovo, represented by Perkins Coie partners Janis Claire Kestenbaum in Washington and Rebecca Engrav in Seattle, agreed to pay $3.5 million to settle the state attorneys general claims. Kestenbaum and Engrav did not immediately respond to a request for comment Tuesday.

Lenovo said the company stopped preloading computers with VisualDiscovery in early 2015 after learning of issues with the software. “While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-and-a-half years,” the company said in a statement.

VisualDiscovery had access to that information without consumers' knowledge or consent, and shortcomings in the software's security measures made sensitive electronic communications with financial institutions and medical providers vulnerable to hackers, according to the FTC.

In a conference call Tuesday, Acting FTC Chairwoman Maureen Ohlhausen described the software program as the “online equivalent” of someone stealing mail without the intended recipient's knowledge, opening it and then reading it before putting it back in the mailbox. Ohlhausen criticized Lenovo for failing to review the software for potential risks or require the third-party provider to take reasonable cybersecurity measures.

The settlement requires Lenovo to obtain consumers' consent before installing similar software. For the next 20 years, the company will also be required to maintain a software cybersecurity program subject to third-party audits. Lenovo must submit a compliance report next year to the FTC.

“Certainly this case sends a very important message that everybody in the chain really needs to pay attention,” Ohlhausen said.

New Jersey Attorney General Christopher Porrino said Tuesday the Lenovo settlement “sets down a variety of conditions designed to ensure that, going forward, Lenovo will better protect the personal identifying information of consumers, be more transparent about what software is pre-installed on the products it sells, and provide consumers clearer and more accessible ways to opt out of having such software activated—or present on the machine at all.”

Tuesday's settlement came as part of a late summer string of FTC enforcement actions over allegations of lax data security. On Aug. 15, the ride-hailing giant Uber Technologies Inc. agreed to 20 years of compliance monitoring to resolve allegations that it failed to secure sensitive information stored in the cloud and misrepresented its efforts to restrict employees' access to consumer data.

Two weeks later, the FTC reached a settlement with TaxSlayer, a Georgia-based online tax preparer service, over claims that the company cybersecurity shortcomings allowed hackers to access nearly 9,000 accounts between October and December 2015 and then use the information to receive fraudulent tax refunds.

With its third data security-related settlement in as many weeks, the Federal Trade Commission laid blame Tuesday on a “man in the middle”—a software program, designed to interfere with how browsers interact with websites, that left sensitive consumer information vulnerable.

The FTC joined with 32 state attorneys general—including California, New Jersey, Pennsylvania, New York and Connecticut—in faulting Lenovo Inc., a leading computer manufacturer, for pre-installing such software on laptops beginning in August 2014. According to the FTC settlement, the pre-installed program—called “VisualDiscovery”—was developed by the California-based company Superfish Inc. to deliver pop-up ads for retail partners' products whenever a consumer cursor hovered over a similar-looking product.

To make those pop-up ads possible, VisualDiscovery meddled in the interaction between browsers and websites, the FTC said. This “man-in-the-middle” role, as the FTC characterized it, allowed the software to access all of the sensitive data consumers transmitted over the internet, including financial information, log-in credentials and Social Security numbers.

Lenovo, represented by Perkins Coie partners Janis Claire Kestenbaum in Washington and Rebecca Engrav in Seattle, agreed to pay $3.5 million to settle the state attorneys general claims. Kestenbaum and Engrav did not immediately respond to a request for comment Tuesday.

Lenovo said the company stopped preloading computers with VisualDiscovery in early 2015 after learning of issues with the software. “While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-and-a-half years,” the company said in a statement.

VisualDiscovery had access to that information without consumers' knowledge or consent, and shortcomings in the software's security measures made sensitive electronic communications with financial institutions and medical providers vulnerable to hackers, according to the FTC.

In a conference call Tuesday, Acting FTC Chairwoman Maureen Ohlhausen described the software program as the “online equivalent” of someone stealing mail without the intended recipient's knowledge, opening it and then reading it before putting it back in the mailbox. Ohlhausen criticized Lenovo for failing to review the software for potential risks or require the third-party provider to take reasonable cybersecurity measures.

The settlement requires Lenovo to obtain consumers' consent before installing similar software. For the next 20 years, the company will also be required to maintain a software cybersecurity program subject to third-party audits. Lenovo must submit a compliance report next year to the FTC.

“Certainly this case sends a very important message that everybody in the chain really needs to pay attention,” Ohlhausen said.

New Jersey Attorney General Christopher Porrino said Tuesday the Lenovo settlement “sets down a variety of conditions designed to ensure that, going forward, Lenovo will better protect the personal identifying information of consumers, be more transparent about what software is pre-installed on the products it sells, and provide consumers clearer and more accessible ways to opt out of having such software activated—or present on the machine at all.”

Tuesday's settlement came as part of a late summer string of FTC enforcement actions over allegations of lax data security. On Aug. 15, the ride-hailing giant Uber Technologies Inc. agreed to 20 years of compliance monitoring to resolve allegations that it failed to secure sensitive information stored in the cloud and misrepresented its efforts to restrict employees' access to consumer data.

Two weeks later, the FTC reached a settlement with TaxSlayer, a Georgia-based online tax preparer service, over claims that the company cybersecurity shortcomings allowed hackers to access nearly 9,000 accounts between October and December 2015 and then use the information to receive fraudulent tax refunds.