NordVPN is taking steps to ensure customers that it can stay true to its promise of providing "secure and private access to the internet" after admitting that an attacker breached one of its servers. To start with, its in-house team of penetration testers will now be working with cybersecurity firm VerSprite to conduct comprehensive penetration testing, intrusion handling and source code analysis. The firm will also help NordVPN form an independent cybersecurity advisory committee as part of their long-term partnership.
In an effort to find vulnerabilities before a bad actor does again, it's also launching a bug bounty program over the next few weeks. NordVPN also promises to undergo a complete a full-scale third-party independent security audit covering its hardware, software, backend architecture, backend source code and internal procedures in 2020.
The company says it's planning to build a network of collocated servers -- or servers it will fully own even though they're located in a rented data center space -- as well. It's just currently finishing its infrastructure review to look for and remove any exploitable vulnerabilities left by third-party server providers. Finally, NordVPN says it's planning replace its entire infrastructure with diskless servers so that nothing will be stored locally. That way, even if an infiltrator seizes a server, they won't find anything in it.
NordVPN admitted last week that an unauthorized person accessed a server it rented from a data center in Finland back in March 2018. That data center spotted the infiltrator and removed their access without informing the company, but NordVPN found out about the incident a few months ago and ended its contract with the provider.
The company says it's sure that the infiltrator wasn't able to access customer data, since the compromised server didn't contain any activity logs, usernames or passwords. An Ars Technica report says the hackers were able to steal encryption keys that could be used to stage decryption attacks on some customers. But NordVPN maintains that the "service as a whole was not hacked, the code was not hacked, the VPN tunnel was not breached and the NordVPN apps stayed unaffected."