Few things to note here are that what actually reached the OP was a cold sales email, not someone who had their password or payment info. The data that moved was business contact info going through a sales pipeline. Annoying? Absolutely. But the comments in here talking about GDPR fines and comparing this to actual data breaches feel like a massive escalation from what actually happened. I've seen real breaches in this industry. This isn't one. This is probably some SDR from sales team or the prospecting tool which is Apollo being sloppy in this case with their processes and not thinking through what happens to the data they're working with.