#Privacy: NordVPN gives late notification of a data breach suffered last year

data breach

Popular Virtual Private Network, NordVPN, has revealed that it suffered a data breach in 2018.

The cybersecurity incident was first discovered a number of months ago, following the exposure of an expired internal security key, reports reveal. The vulnerability enabled anyone without authorisation to gain access to the company.

Users of NordVPN were not immediately notified because the company needed to be “100% sure that each component within our infrastructure is secure” NordVPN said.

The weakness that led to the data breach can be tracked back to March 2018, when one of the firm’s data centres in Finland began raising flags regarding a potential unauthorised access. An unknown party had managed to infiltrate the server by taking advantage of an unsecured remote management system by the provider.

In an official release, NordVPN said:

“Only 1 of more than 3000 servers we had at the time was affected,” adding that the firm ended its contract with the data centre provider in the immediate aftermath of the hack.

NordVPN said:

“We are taking all the necessary means to enhance our security. We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program.

“We will give our all to maximize the security of every aspect of our service, and next year we will launch an independent external audit … of our infrastructure to make sure we did not miss anything else.”

In a statement to TechCrunch, NordVPN spokesperson, Laura Tyrell said:

“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.

“On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/