NordVPN recently disclosed a server breach that occurred in March of 2018. In the breach, hackers stole encryption keys, compromising an internal signing certificate private key. The company claimed that the incident was the fault of a third-party data center, according to a blog post on their website. One out of NordVPN’s 5,000 servers, located in Finland, was accessed by a hacker, but the company claims that no customer data was affected or accessed, as the server didn’t contain any logs of user activity, passwords, or usernames.
Related: NordVPN Review
The company is taking five steps to strengthen NordVPN’s security:
- Partnership with VerSprite: Cybersecurity consultants at VerSprite will perform penetration testing on NordVPN to find vulnerabilities before hackers, along with providing vendor risk assessment and source code analysis.
- Bug bounty program: If cybersecurity experts find potential flaws and report them to NordVPN, they will get a “well-earned payout,” according to the blog post.
- Infrastructure security audit: The company is having a third party audit their security independently next year, which will include infrastructure hardware, VPN software, internal procedures, and backend source code and architecture.
- Vendor security assessment plus higher security standards: NordVPN will build a network of collocated servers exclusively owned by NordVPN, making breaches from third-party server providers impossible.
- Diskless servers: Finally, NordVPN will upgrade all of their servers to RAM servers so nothing is stored locally. Rather, the data will be stored in a centrally controlled network.
Mark Thompson, Vice President of Product Management at Keyfactor, a cybersecurity vendor, believes this breach could have happened to any VPN company, as most VPNs rely on third party data centers. When shopping for a VPN, users should look for where the servers are located and the data policies in that country, he said in an interview with Security Baron. Thompson continued,
“Many consumers don’t know where their data is being routed to. While Europe has strict data regulations, not all countries do. I would recommend using a VPN company based in the United States or Europe where there are regulatory guidelines.”