Notification of security incident

October 9, 2018

This is a summary of the 2018 security breach of the systems of and New Relic's response.

Security officer statement

Over the weekend, New Relic was alerted by a sales productivity tool vendor,, about a security breach of their systems, which contained business-card-like customer contact information such as name, email address, phone number, company name, and job title. We are actively investigating this issue, and at this time we believe that a subset of our customers’ and prospects’ contact info may have been included.

New Relic did not sell the data to, but shared it solely as part of using the vendor service, which means that New Relic was the “data controller” of the impacted information and Apollo our “data processor” as defined by the General Data Protection Regulation 2016/679 (“GDPR”). No customer data from the New Relic product platform (for which New Relic acts as “data processor”) was ever linked with’s services or was impacted.

At New Relic, the security and privacy of our customers’ data is paramount, and we practice strict information security policies for engaging any third-party vendor. We are continuously evaluating our policies and processes across all vendors.

Please follow for additional information on this incident.

- Shaun Gordon, VP, Chief Security Officer, New Relic

Summary of incident

Who is affected?

We are currently investigating who is impacted, but we believe that the vendor’s breach was limited to business contact information.

What happened?

New Relic was recently notified by that personal data that we shared with them in accordance with our Privacy Policy was exposed by a breach. We then started our investigation to learn more about the scope of the data involved. Our privacy policy is described further at: New Relic did not sell the data to Apollo, but shared it solely to assist in providing services to New Relic.

What data was compromised?

We are continuing our investigation, but we believe that customer or potential customer email addresses, company names, business contact information, and the names of the customers to whom those emails relate were potentially exposed.

We believe that no financial account information (e.g. credit card numbers, bank account numbers, etc.), government issued identification numbers (e.g. social security numbers or passport numbers) or sensitive categories of personal data as defined under GDPR (e.g. medical information, religious preference, etc.) was exposed.

What action did New Relic take?

We have reached out to requesting additional information and are continuing to investigate internally.

What further actions will New Relic take?

Based on our continuing investigation, we will provide further information as appropriate.

Do you need to notify EU data protection authorities of this incident?

No. As explained above, New Relic is the “data controller” of the contact information that was exposed as a result of this incident. Accordingly, and in keeping with our responsibilities as a “data controller” under the GDPR, we will submit a notice to our lead data protection authority. We will not disclose any customer information as part of this notice.

Our commitment to our customers

At New Relic, the security and privacy of our customers is paramount, and we practice strict information security policies for engaging any third-party vendor.

We value our relationship with you. If you have any additional questions, we encourage customers to contact us at For more information about our privacy policy, visit

For more help

Recommendations for learning more: