NordVPN is responding to a recent data breach with new investments intended to guard against future hacks.

The measures include hiring a cybersecurity consulting firm, VerSprite, to work alongside NordVPN's own penetration team to find and patch vulnerabilities in the company's VPN infrastructure. NordVPN will also hire a third-party vendor to complete a full security audit of its services next year, covering everything from server infrastructure and VPN software to source code and the company's internal procedures.

In the coming weeks, the company will also introduce a bug bounty program, which will allow independent security researchers to report flaws in NordVPN's products in return for a reward.

"The changes we've outlined will make you significantly safer every time you use our service. Every part of NordVPN will become faster, stronger, and more secure—from our infrastructure and code to our teams and our partners," spokesperson Laura Tyrell said in a statement. "That's our promise—we owe it to you."

This comes after news last week of a data breach at a third-party data center in Finland where NordVPN leased servers. It actually happened in March 2018, when an unknown hacker broke into a remote desktop management client on the VPN server, which was encrypting customers' internet traffic.

The affected hardware was only one of 5,000 servers NordVPN runs for its customer base of over 12 million users. Nevertheless, evidence shows the hacker likely gained root access to the Finland-based server, which would have enabled the attacker to view and modify any user traffic that flowed through the system.

NordVPN has a strict policy against keeping logs of user activity occurring over the company's VPN servers. So the hacker had no way to monitor specific users or steal their login credentials for its VPN client, the company said. The hacker also appears to only have had root access to the server for two weeks before the Finnish data center patched the vulnerability.

That said, there's still many unanswered questions about the breach, like who was behind it, and if the hacker ever used the server access (and digital certificates stolen in the hack) to target individual NordVPN users. Another disturbing fact is how the breach went undetected for so long. The hacker posted details of it in an 8chan forum in May 2018, but NordVPN and the Finnish data center are each blaming the other for installing the vulnerable remote desktop management tool on the server.

The uncertainty is why PCMag lowered its score of NordVPN from a five-star service down to four.

NordVPN has severed ties with the Finnish data center, and now plans to run its own hardware as opposed to renting it from third-party providers. These "collocated servers" will still be housed in third-party data centers, but the hardware itself will be exclusively owned by NordVPN.

Another safeguard involves upgrading NordVPN's server infrastructure to run entirely on short-term RAM memory as opposed to hard drives. "If anyone seizes one of these servers, they'll find an empty piece of hardware with no data or configuration files on it," the company said.

Further Reading

VPN Reviews