October 9, 2018
This is a summary of the 2018 security breach of the systems of Apollo.io and New Relic's response.
Security officer statement
Over the weekend, New Relic was alerted by a sales productivity tool vendor, Apollo.io, about a security breach of their systems, which contained business-card-like customer contact information such as name, email address, phone number, company name, and job title. We are actively investigating this issue, and at this time we believe that a subset of our customers’ and prospects’ contact info may have been included.
New Relic did not sell the data to Apollo.io, but shared it solely as part of using the vendor service, which means that New Relic was the “data controller” of the impacted information and Apollo our “data processor” as defined by the General Data Protection Regulation 2016/679 (“GDPR”). No customer data from the New Relic product platform (for which New Relic acts as “data processor”) was ever linked with Apollo.io’s services or was impacted.
At New Relic, the security and privacy of our customers’ data is paramount, and we practice strict information security policies for engaging any third-party vendor. We are continuously evaluating our policies and processes across all vendors.
Please follow discuss.newrelic.com/c/security-notifications for additional information on this incident.
- Shaun Gordon, VP, Chief Security Officer, New Relic
Summary of incident
Who is affected?
We are currently investigating who is impacted, but we believe that the vendor’s breach was limited to business contact information.
What happened?
New Relic was recently notified by Apollo.io that personal data that we shared with them in accordance with our Privacy Policy was exposed by a breach. We then started our investigation to learn more about the scope of the data involved. Our privacy policy is described further at: newrelic.com/termsandconditions/privacy. New Relic did not sell the data to Apollo, but shared it solely to assist in providing services to New Relic.
What data was compromised?
We are continuing our investigation, but we believe that customer or potential customer email addresses, company names, business contact information, and the names of the customers to whom those emails relate were potentially exposed.
We believe that no financial account information (such as credit card numbers, bank account numbers, etc.), government issued identification numbers (such as social security numbers or passport numbers) or sensitive categories of personal data as defined under GDPR (such as medical information, religious preference, etc.) was exposed.
What action did New Relic take?
We have reached out to Apollo.io requesting additional information and are continuing to investigate internally.
What further actions will New Relic take?
Based on our continuing investigation, we will provide further information as appropriate.
Do you need to notify EU data protection authorities of this incident?
No. As explained above, New Relic is the “data controller” of the contact information that was exposed as a result of this incident. Accordingly, and in keeping with our responsibilities as a “data controller” under the GDPR, we will submit a notice to our lead data protection authority. We will not disclose any customer information as part of this notice.
Update and resolution
November 5, 2018
Apollo.io, a sales intelligence vendor, was notified about a security breach of their systems by an external security researcher. The data involved contained business-card-like contact information such as name, email address, phone number, company name, and job title. After investigation of this issue, we determined that a specific set of New Relic customer and prospect contact info had been included but we have found no evidence of misuse. Per our request, all data from New Relic obtained by Apollo.io has been purged from their systems.
New Relic did not sell the data to Apollo.io, but shared it solely as part of using the vendor service, which means that New Relic was the “data controller” of the impacted information and Apollo.io our “data processor” as defined by the General Data Protection Regulation 2016/679 (“GDPR”). No customer data from the New Relic product platform (for which New Relic acts as “data processor”) was ever linked with Apollo.io 30’s services or was impacted.
At New Relic, the security and privacy of our customers’ data is paramount, and we practice strict information security policies for engaging any third-party vendor. We are continuously evaluating our policies and processes across all vendors.
Our commitment to our customers
At New Relic, the security and privacy of our customers is paramount, and we practice strict information security policies for engaging any third-party vendor.
We value our relationship with you. If you have any additional questions, we encourage customers to contact us at support.newrelic.com. For more information about our privacy policy, visit newrelic.com/termsandconditions/privacy.