Updated, four days later (November 26). No, we still have no update either... We're watching closely and shaking the tree.
Application Performance Monitoring (APM) specialist New Relic is warning customers of “a recent cybersecurity incident” – but providing no details whatsoever yet on the nature or extent of the incident.
It has brought in third-party support.
In a terse update posted November 22, the company said that “We value our New Relic community and we want to make our customers aware of a recent cybersecurity incident that we are working diligently to investigate with the support of third-party cybersecurity experts. Customers will be directly contacted if there are any specific actions required of you.”
New Relic, which competes with the likes of Dynatrace and DataDog on observability, serves around 15,000 enterprise customers globally and has revenues of ~$1 billion annually. It employs approximately 2,700 staff.
See also: New Relic takes aim at rivals' "hidden costs", launches new infrastructure monitoring platform
It added: “To be clear, if you do not hear from us, there is no action you need to take at this time. As always, we recommend that you remain vigilant and monitor your account for suspicious activity… We encourage you to review Security Guides for best practices as well as our Security Bulletins for updates. We will continue to provide relevant updates as we have more information to share,” it said in the advisory “NR23-01.”
The incident comes weeks after the company went private following a $6.5 billion buyout by private equity firms Francisco Partners and TPG – and as many in the US were heading off for a long Thanksgiving weekend.
New Relic says its SaaS platform queries four trillion data points per minute for customers, and serves 160+ billion web requests daily.
Gartner warned in its 2023 APM Magic Quadrant that New Relic had been “slow to incorporate native security monitoring and attack mitigation capabilities in its product” (SaaS, largely running from AWS, with an Azure option added in 2022) and customers will be hoping that this does not also apply to its own corporate IT estate and services. (The company has a solid security team, on paper, that it was looking to expand earlier this year; recruiting over the summer for a Lead Security Engineer on its infrastructure assurance team to "help ensure a secure-by-design model in our product and enterprise infrastructure" saying it was seeking "someone deeply technical, extremely collaborative, and who has a passion for mentoring and guiding security and product engineers alike.")
Companies looking for how to do incident disclosure well can meanwhile turn to this months’ examples of Cloudflare, which had a comprehensive post-mortem of an extensive outage shared within days of it happening, or Boeing, which has laudably shared the TTPs of the attackers who hit it with ransomware this month, via a coordinated Five Eyes report.
Customers, keep a close watch on that security bulletin and if you have not yet, set everyone you conceivably can up with phishing-resistant MFA.
