Office Depot, OfficeMax, cough up $35m after charging folks millions in 'fake' malware cleanup fees

Tech support outfits settle out of court after allegations of bogus infection symptoms to extract repair charges

Office Depot and have coughed up $35m after they were accused of lying to people that their PCs were infected with malware in order to charge them cleanup fees.

On Wednesday, the pair of businesses settled a lawsuit brought against them by the US Federal Trade Commission, which alleged staff at the tech duo falsely claimed software nasties were lingering on customers' computers to make a fast buck.

The lawsuit, filed in southern Florida, claimed the two companies, including Office Depot subsidiary OfficeMax, from 2009 until November 2016 misrepresented the state of consumers' computers by using a sales tool designed to convince people to pay for diagnostic and repair services.

"In numerous instances throughout this time period, Defendants used the PC Health Check Program to report to Office Depot Companies customers that the scan had found or identified 'Malware Symptoms' when it had not done so," the complaint stated. "Additionally, in numerous instances, the PC Health Check Program falsely reported to consumers that the program had found 'infections' on the consumer’s computer. "

According to the watchdog's complaint, the PC Health Check Program was incapable of finding malware. allegedly programmed the software so that whenever an Office Depot Company employee checked any one of four checkboxes describing a generic concern, like slowness, before the scan started, the scan would automatically report the detection of malware symptoms, and for a time, infections.


But the results, it's alleged, were predetermined. "Despite the statements in the PC Health Check Program’s Detailed Report that the scan 'found infections' or 'found' or 'identified' malware symptoms, the PC Health Check Program’s detection of malware symptoms was entirely dependent on whether any of the Initial Checkbox Statements was checked and not on the actual state of the computer," the FTC court filing explained.

The cost for PC Health Check could exceed $300, the complaint stated. The defendants, according to the FTC, bilked customers out of tens of millions of dollars. To settle the charges, Office Depot has agreed to pay $25m and will pay $10m. The money will be refunded to affected customers, the FTC says.

The alleged fraud appears to have been first reported in 2016 by Seattle TV station KIRO-TV, tipped off by a whistleblower. did not immediately responded to requests for comment.

In a statement emailed to The Register, a spokesperson for Office Depot said, "Office Depot’s settlement with the Federal Trade Commission (FTC) resolves an investigation relating to a computer diagnostic service that was offered to Office Depot and OfficeMax customers prior to December 2016....While Office Depot does not admit to any wrongdoing regarding the FTC’s allegations, the company believes that the settlement is in its best interest in order to avoid protracted litigation."

The FTC claims both companies "have been aware of concerns and complaints about the PC Health Check program since at least 2012" but Office Depot, it's claimed, nonetheless continued to push the service until 2016.

So, no wrongdoing. But $35m in penalties. ®

Broader topics

Other stories you might like

  • Google said to be taking steps to keep political campaign emails out of Gmail spam bin
    Just after Big Tech comes under fire for left and right-leaning message filters

    Google has reportedly asked the US Federal Election Commission for its blessing to exempt political campaign solicitations from spam filtering.

    The elections watchdog declined to confirm receiving the supposed Google filing, obtained by Axios, though a spokesperson said the FEC can be expected to publish an advisory opinion upon review if Google made such a submission.

    Google did not immediately respond to a request for comment. If the web giant's alleged plan gets approved, political campaign emails that aren't deemed malicious or illegal will arrive in Gmail users' inboxes with a notice asking recipients to approve continued delivery.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Inverse Finance stung for $1.2 million via flash loan attack
    Just cryptocurrency things

    A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.

    "Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."

    And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."

    Continue reading
  • Tracking cookies found in more than half of G20 government websites
    Sorry, conspiracy theorists, it's more likely sloppy webdev work rather than spying

    We expect a certain amount of cookie-based tracking on retail websites and social networks, but in some countries up to 90 percent of government sites have implemented trackers – and serve them seemingly without user consent. 

    A study evaluated more than 118,000 URLs of 5,500 government websites – think .gov,,, etc – hosted in the twenty largest global economies – the G20 – and discovered a surprising tracking cookie problem, even among countries party to Europe's GDPR and those who have their own data privacy regulations.

    On average, the study found, more than half of cookies created on G20 government websites were third-party cookies, meaning they were created by outside entities typically to collect information on the user. At least 10 percent, going up to 90 percent, come from known third party cookies or trackers, we're told.

    Continue reading

Biting the hand that feeds IT © 1998–2022