Over the weekend, New Relic was alerted by a sales productivity tool vendor, Apollo.io, about a security breach of their systems, which contained business-card-like customer contact information such as name, email address, phone number, company name, and job title. We are actively investigating this issue, and at this time we believe that a subset of our customers’ and prospects’ contact info may have been included.
New Relic did not sell the data to Apollo.io, but shared it solely as part of using the vendor service, which means that New Relic was the “data controller” of the impacted information and Apollo our “data processor” as defined by the General Data Protection Regulation 2016/679 (“GDPR”). No customer data from the New Relic product platform (for which New Relic acts as “data processor”) was ever linked with Apollo.io’s services or was impacted.
At New Relic, the security and privacy of our customers’ data is paramount, and we practice strict information security policies for engaging any third-party vendor. We are continuously evaluating our policies and processes across all vendors.
Please follow https://discuss.newrelic.com/c/security-notifications for additional information on this incident.
- Shaun Gordon, VP, Chief Security Officer, New Relic
Who is affected?
We are currently investigating who is impacted, but we believe that the vendor’s breach was limited to business contact information.
What data was compromised?
We are continuing our investigation, but we believe that customer or potential customer email addresses, company names, business contact information, and the names of the customers to whom those emails relate were potentially exposed. We believe that no financial account information (e.g. credit card numbers, bank account numbers, etc.), government issued identification numbers (e.g. social security numbers or passport numbers) or sensitive categories of personal data as defined under GDPR (e.g. medical information, religious preference, etc.) was exposed.
What action did New Relic take?
We have reached out to Apollo.io requesting additional information and are continuing to investigate internally.
What further actions will New Relic take?
Based on our continuing investigation, we will provide further information as appropriate.
Do you need to notify EU data protection authorities of this incident?
No. As explained above, New Relic is the “data controller” of the contact information that was exposed as a result of this incident. Accordingly, and in keeping with our responsibilities as a “data controller” under the GDPR, we will submit a notice to our lead data protection authority. We will not disclose any customer information as part of this notice.
New Relic’s commitment to our customers
At New Relic, the security and privacy of our customers is paramount, and we practice strict information security policies for engaging any third-party vendor.