A strategic partnership with VerSprite, a new bug bounty program and vendor security assessment are some of the steps NordVPN is taking after one of its servers was accessed by an unauthorized third party.

In the NordVPN breach, the hacker managed to access this single server located in Finland because of mistakes made by the data center owner, of which NordVPN wasn’t aware, according to the VPN provider. The server breach took place in March 2018 and was recently disclosed by the company.

Laura Tyrell, NordVPN’s head of public relations, tells us “we have a big supportive community but, of course, after every incident, people need assurance and explanations.”

NordVPN’s Laura Tyrell

“We received many such requests, but we also got many supportive comments, which was truly heartening,” she said. “I strongly believe that the measures we are taking will make us stronger and more secure than ever before. We feel that we owe this to the users and partners that trust us.”

The partnership with VerSprite, a cybersecurity consulting firm, will include threat and vulnerability management, penetration testing, compliance management and assessment services. VerSprite also will help to form an independent cybersecurity advisory committee, which will oversee NordVPN’s security practices.

“We have previously worked with VerSprite on our in-depth app security audit, which was finished at the beginning of October,” Tyrell said. “During our app security audit, VerSprite auditors focused on breaching confidential user data, identifying high-impact vulnerabilities that could lead to IP leaks, and overall privilege escalation. NordVPN has undergone an application penetration test divided into three different phases. This first phase covered testing NordVPN’s API endpoint and clients panel. During the second stage, VerSprite targeted the NordVPN mobile apps for iOS and Android. The last phase had the NordVPN desktop applications for Windows and macOS as the main targets. We are very pleased with the results — this audit made our apps even stronger.”

During the next few weeks, NordVPN will roll out a bug bounty program.

“Our bug bounty will reward cybersecurity enthusiasts for catching potential vulnerabilities and reporting them to us so we can fix them,” Tyrrell said. “This way, bounty hunters will get a well-earned payout, and NordVPN users will get a service that’s as secure as it gets. We will also perform regular audits and set up an independent advisory committee, for which we’ll enlist the help of third-party security experts.”

NordVPN is planning to complete a full-scale, third-party independent security audit in 2020. The audit will cover the infrastructure hardware, VPN software, backend architecture, backend source code and internal procedures. The chosen vendor for the security audit is yet to be announced.

In addition, NordVPN will introduce vendor security assessment and higher security standards. NordVPN plans to build a network of collocated servers, and while still located in a data center, the servers are wholly owned exclusively by NordVPN. The company is finishing its infrastructure review so that it can eliminate any exploitable vulnerabilities left by third-party server providers.

“As NordVPN is one of the leading VPN services in the world, the measures we are taking may bring more security and transparency overall,” Tyrrell said. “Right now, the majority of the data centers we work with …

… meet or exceed our numerous stringent security standards. However, others will need to adapt to even higher standards than before. But, as I mentioned, I strongly believe that this will contribute to better security overall.”

NordVPN also is planning to upgrade its entire infrastructure, which features more than 5,100 servers, to RAM servers. Everything the servers need to run will be provided by NordVPN’s secure central infrastructure. If anyone seizes one of these servers, they’ll find an empty piece of hardware with no data or configuration files on it, the company said.

NordVPN said it is sure no customer data was affected or accessed by the malicious actor as the server did not contain any user activity logs, usernames or passwords. NordVPN’s service as a whole was not hacked, the code was not hacked, the VPN tunnel was not breached, and the NordVPN apps stayed unaffected, the company said.

Ted Shorter, CTO at Keyfactor, said history has shown that given enough time and resources, hackers can often find their way into high-value targets, and “breaches such as this have happened in 2019 more times than I can count.”

“However, a defense-in-depth strategy could have at least prevented the hackers from stealing the private keys,” he said.