NordVPN Beefs Up Security Following March 2018 Breach
A strategic partnership with VerSprite, a new bug bounty program and vendor security assessment are some of the steps NordVPN is taking after one of its servers was accessed by an unauthorized third party.
In the NordVPN breach, the hacker managed to access this single server located in Finland because of mistakes made by the data center owner, of which NordVPN wasn’t aware, according to the VPN provider. The server breach took place in March 2018 and was recently disclosed by the company.
Laura Tyrell, NordVPN’s head of public relations, tells us “we have a big supportive community but, of course, after every incident, people need assurance and explanations.”
“We received many such requests, but we also got many supportive comments, which was truly heartening,” she said. “I strongly believe that the measures we are taking will make us stronger and more secure than ever before. We feel that we owe this to the users and partners that trust us.”
The partnership with VerSprite, a cybersecurity consulting firm, will include threat and vulnerability management, penetration testing, compliance management and assessment services. VerSprite also will help to form an independent cybersecurity advisory committee, which will oversee NordVPN’s security practices.
“We have previously worked with VerSprite on our in-depth app security audit, which was finished at the beginning of October,” Tyrell said. “During our app security audit, VerSprite auditors focused on breaching confidential user data, identifying high-impact vulnerabilities that could lead to IP leaks, and overall privilege escalation. NordVPN has undergone an application penetration test divided into three different phases. This first phase covered testing NordVPN’s API endpoint and clients panel. During the second stage, VerSprite targeted the NordVPN mobile apps for iOS and Android. The last phase had the NordVPN desktop applications for Windows and macOS as the main targets. We are very pleased with the results — this audit made our apps even stronger.”
During the next few weeks, NordVPN will roll out a bug bounty program.
“Our bug bounty will reward cybersecurity enthusiasts for catching potential vulnerabilities and reporting them to us so we can fix them,” Tyrrell said. “This way, bounty hunters will get a well-earned payout, and NordVPN users will get a service that’s as secure as it gets. We will also perform regular audits and set up an independent advisory committee, for which we’ll enlist the help of third-party security experts.”
NordVPN is planning to complete a full-scale, third-party independent security audit in 2020. The audit will cover the infrastructure hardware, VPN software, backend architecture, backend source code and internal procedures. The chosen vendor for the security audit is yet to be announced.
In addition, NordVPN will introduce vendor security assessment and higher security standards. NordVPN plans to build a network of collocated servers, and while still located in a data center, the servers are wholly owned exclusively by NordVPN. The company is finishing its infrastructure review so that it can eliminate any exploitable vulnerabilities left by third-party server providers.
“As NordVPN is one of the leading VPN services in the world, the measures we are taking may bring more security and transparency overall,” Tyrrell said. “Right now, the majority of the data centers we work with …