NordVPN admits ‘isolated’ data breach was discovered last year

Virtual private network provider NordVPN, which operates in more than 60 countries, was breached last year after an outsider infiltrated a Finnish data center, the firm said Monday.

In a statement on its website, NordVPN said it learned in March 2018 about the intrusion, which occurred on a server that NordVPN rents from another company. The hacker leveraged an unprotected remote management system left exposed by the data center.

The VPN provider says usernames and passwords could not have been intercepted, and user activity logs likewise seem safe. It may have been possible, though, for the intruder to abuse website traffic and monitor some user activity, NordVPN says.

The affected server was taken offline and “ceased to exist” on March 5, 2018, while NordVPN ended its contract with the data center provider as a result of the incident.

“This was an isolated case, and no other data center providers we use have been affected,” the firm said in a blog post.

NordVPN did not name the data center provider in question but a board member identified the hosting provider Creanova as the culprit, according to a Bloomberg report. That company, in turn, faulted NordVPN.

Representatives from NordVPN, which operates out of Panama, previously told reporters the company collects from customers only an active email address and financial information to maintain their subscriptions.

But VPNs, unlike most digital services, are used for the express purpose of encrypting sensitive web traffic. A breach at VPN service, even if few details are available, could undercut trust in that organization and, worse, leave users with a false sense of security exposed.

The disclosure also comes amid an urgent, ongoing conversation throughout the security community about the importance of proper data protection through the supply chain. Attackers who infiltrate one company are more likely to abuse that access, and break into other networks. Now, as NordVPN,