What Rippling’s Insider Scandal Reveals About SaaS Risk

Insider threats are back in the spotlight. In March 2025, HR tech company Deel – a $12 billion unicorn – was accused of planting a mole inside its competitor, Rippling, to steal sensitive business information. This real-life corporate espionage saga reads like a spy thriller: an insider allegedly funneled intelligence on customers and sales from Rippling straight to Deel, exploiting everyday SaaS tools in the process. 

‍

It’s a reminder that sometimes the biggest threats come from those already on the inside. In this article, we’ll recap what happened in the Rippling/Deel incident, how a malicious insider leveraged a SaaS app (Slack) to exfiltrate data, and discuss how Dynamic SaaS Security approaches (like Reco’s) can help identify and stop insider threats – even in today’s world of rampant app sprawl, identity sprawl, and AI sprawl.

‍

A Competitor Cultivates an Insider Spy

‍

Rippling’s nightmare began when an employee turned out to be an undercover agent allegedly working for competitor Deel. According to Rippling’s lawsuit, Deel’s leadership orchestrated a multi-month campaign to harvest confidential data by cultivating a Rippling employee as a spy. Over about four months, this mole abused his internal access to conduct thousands of suspicious queries across company systems, all aimed at gathering intel to benefit Deel. In fact, he reportedly searched the term “Deel” in Rippling’s internal records on average 23 times every day, sweeping up details on Rippling’s sales pipeline, pricing proposals, sales meetings, and even training materials on competing with Deel. Every bit of this stolen intelligence was fed back to Deel’s team to give them a competitive edge.

‍

The extent of the insider’s spying was rather serious. Rippling alleges the mole obsessively scoured internal Slack channels and other systems he had no legitimate business reason to access. When Rippling’s security team finally detected the unusual activity, they set up a clever sting operation to catch the perpetrators red-handed. Rippling’s team created a honeypot – they sent a letter to a few top Deel executives referencing a fictitious Slack channel named “d-defectors” that supposedly contained juicy information. Sure enough, within hours, the insider searched for this never-before-used Slack channel, implying that Deel’s senior leadership was actively directing the espionage.

‍

The confrontation that followed was dramatic. Investigators served the Rippling employee (the alleged spy) with a court order at the office, demanding access to his phone. He locked himself in a bathroom rather than comply. Even after being warned that deleting evidence could land him in jail, the spy defiantly replied, “I’m willing to take that risk,” and fled the premises. This response speaks volumes – it appears he was more afraid of being caught by his handlers or losing his reward than of legal consequences. 

‍

So, what did Deel gain from this high-risk insider scheme? 

‍

• The interception of sales deals.  By tracking which prospective customers were talking to Rippling in real time, they could swoop in to counter Rippling’s sales efforts.

• Preempting customer churn. If a Deel client was evaluating switching to Rippling, the insider’s intel let Deel’s team proactively retain that customer (for example, by offering discounts or other incentives to stay).

• The ability to poach employees. The spy even accessed private contact details of Rippling staff, enabling Deel to cold-call and recruit Rippling employees – sometimes making offers without even an interview, presumably armed with confidence from insider info.

• The potential to shape PR stories. With inside knowledge of Rippling’s business, Deel could anticipate or counter negative press about its own issues by leveraging or misusing confidential information from Rippling.

‍

How a Malicious Insider Exploited Slack to Perform Corporate Espionage

‍

It’s notable (and a bit ironic) that Slack, an everyday workplace collaboration app, was allegedly the spy’s main tool for espionage. We often think of insider threats as downloading databases or forwarding emails, but here the attacker literally used Slack’s search bar as a weapon. According to the lawsuit, the mole queried Slack over 6,000 times, scouring channel messages and files far outside his job scope. He systematically accessed Slack channels he wasn’t even involved in, trawling for any mention of “Deel” or other sensitive keywords. In doing so, he swiped confidential sales pipeline data and internal customer interactions that Rippling employees were innocently discussing on Slack.

‍

Why Slack? This is primarily because most digital companies in 2025 run on Slack (or similar SaaS chat platforms). Teams share updates about sales deals, customer issues, product plans, and even HR conversations in chat channels, assuming it’s internal and relatively private. This creates a treasure trove of information spread across hundreds of channels – which a determined insider can exploit if proper controls and monitoring aren’t in place. The spy’s tactics also demonstrate a broader security challenge: SaaS apps that have become an under-monitored vector for data exfiltration. 

‍

Why Malicious Insiders are Difficult to Spot

‍

Traditional security tools (like legacy DLP systems) weren’t built to monitor chat messages, cloud docs, and SaaS search queries in real-time. In a cloud-first world, employees constantly find creative exfiltration paths that legacy defenses often miss. For example, a legacy DLP might flag an email with an attachment, but it could completely overlook a user who is slowly siphoning information by searching internal Slack threads and copying tidbits out. These tools also tend to flood security teams with false alarms while missing the subtle insider clues in SaaS activity.

‍

Another issue is the scale of SaaS usage. Enterprises are dealing with severe app sprawl and corresponding data sprawl. Corporate data isn’t just in databases; it’s scattered across chat logs, cloud drives, project management boards, and more. The more apps and integration points you have (including third-party and shadow IT apps), the more pathways an insider can find to access data. Meanwhile, identity sprawl has each employee maintaining dozens of accounts and access credentials across these apps, making it infeasible to strictly keep privileges in check at all times. A somewhat intelligent insider like the Rippling mole can take advantage of over-broad access – e.g. being in Slack channels or SaaS accounts they shouldn’t be – without immediate detection. And as the Rippling case proved, if nobody’s watching unusual internal behavior, an insider can operate for months under the radar.

‍

Finally, also consider AI sprawl. A lot of organizations are now integrating AI copilots and generative AI tools into their workflows. This introduces new insider risk: an employee might use an AI chatbot to surface or even leak private information with a simple prompt. (Imagine someone asking a connected AI, “List all clients planning to move off our competitor,” and the AI combs internal data for the answer.) The rise of such AI tools means insiders have even more avenues to pull sensitive data out of SaaS systems in clever ways. All these factors – app sprawl, identity sprawl, data sprawl, and AI integration – create a perfect storm where insider threats are harder than ever to spot with legacy approaches.

‍

Stopping Insider Threats with Dynamic SaaS Security

‍

Catching an insider like the one at Rippling requires more than luck – it needs continuous, contextual monitoring of user activity across your SaaS environment. This is where dynamic SaaS security platforms like Reco come into play. Instead of relying on point solutions that only watch one app or generate noisy alerts, Reco takes a smart, integrated approach to insider risk:

‍

1. Visibility across SaaS apps

‍

Reco connects to your key SaaS platforms (Slack, Google Workspace, Salesforce, Okta, and hundreds more) to give a complete view of who has access to what, and how they behave on each app. This combats app sprawl by ensuring no application is a blind spot. In a case like Rippling’s, Reco would see that an employee is accessing Slack channels or records unrelated to his role – a red massive flag.

‍

2. Identity correlation

‍

Reco’s platform maps a person’s identities and accounts across all apps and correlates them with their activities, devices, and locations. By building a knowledge graph of identity behavior, Reco can recognize when User X on Slack is the same person as User Y on Salesforce, and what normal behavior actually looks like for that individual. This contextual baseline makes it easier to spot anomalies. For instance, if an engineer suddenly starts querying sales deals in Slack and downloading customer lists from a CRM at 2 AM, Reco will flag it as suspicious.

‍

3. Live threat detection

‍

Rather than drowning you in alerts, Reco focuses on context-based alerts that highlight genuinely risky activity. It uses hundreds of pre-built detection rules (mapped to frameworks like MITRE ATT&CK) to catch things traditional tools miss. For example, Reco can alert on suspicious data access and exfiltration attempts as they happen, before information walks out of the door. In practice, that could mean instantly warning the security team if an employee is performing thousands of repetitive searches in Slack (as happened at Rippling) or if they share an unusual volume of files with an external account.

‍

4. Automatic policy enforcement

‍

Reco not only generates alerts, but can also trigger automated responses via your existing security tools (SIEM/SOAR). It enables one-click protective actions – for instance, instantly revoking a rogue user’s access to Slack or locking down a sensitive file if suspicious behavior is confirmed. Reco helps tighten configuration and access controls proactively. It identifies over-privileged accounts and misconfigurations that could be abused by an insider. By cleaning up these risks (part of good identity & access governance), you reduce the chances of a disgruntled employee being in a position to spy in the first place.

Take Your Next Steps With Reco

‍

No organization can afford to ignore insider threats, whether they are malicious spies or just careless employees. The good news is that security leaders are not powerless. By investing in tools that tackle SaaS, identity, and data sprawl head-on, and by instituting insider risk programs, companies can drastically mitigate the chances of the call coming from inside the house. 

‍

If you’re looking to strengthen your defenses against insider incidents, education and strategy are key. For a deeper dive, check out Reco’s Guide The CISO’s Playbook for Insider Risk Management, which offers a complete framework for preventing, detecting, and responding to insider threats at scale. 

‍

This comprehensive playbook explores common insider threat scenarios, why traditional solutions fall short, and the 9 key components of an effective insider risk program – distilled from real-world experience. It even includes a case study (how one company uses Reco to combat insider risks) and a handy checklist to kickstart your own insider threat program. 

‍

Don’t wait for an espionage scandal to make the headlines in your organization. Download the guide here.