The HR technology space is highly competitive, and tensions have been high, with public disputes and aggressive marketing campaigns in the years following the COVID-19 pandemic. This competition led to the most significant corporate espionage case this century.
Rippling is a successful player in the workforce management technology space and recently filed a lawsuit against its competitor, Deel, accusing it of racketeering, misappropriation of trade secrets, and other serious allegations. The lawsuit centers on an employee who allegedly spied for Deel, accessing confidential information on Slack, Salesforce, and other cloud platforms.
Deel denies the accusations, claiming Rippling is trying to shift the narrative after being accused of violating sanctions law in Russia. The lawsuit certainly highlights the intense rivalry but also serves as a dramatic reminder that insider threats are still just as prevalent in 2025. The following discussion will give you some insight into the espionage campaign and what mitigations could have prevented it.
What happened?
After four months of calculated reconnaissance and data exfiltration, the Deel spy’s activities only “came to light very recently” for Rippling, according to 48 pages of court filings on March 17, 2025 against Deel.
The spy (identified as a male from Ireland) was able to leak and distribute customer data, pricing information, competitive intelligence, Rippling employee data for targeted recruiting, trade secrets, and more during a four-month window. Currently, there is little detail about any software or technology secrets taken, but there is reference to “drawings” and “intellectual property” in one of seven complaints specifically for racketeering.
Further investigation from Rippling’s team after recent revelations found that in one day, Deel’s spy “conducted searches that revealed 728 new companies requesting a demo of Rippling’s products; 282 in-depth notes from Rippling account executives on companies that were new prospects in its sales pipeline.” The chart below from Rippling's filing details how often the spy queried the term ‘deel’ in Slack.
How did we get here?
Rippling was founded in 2016 and has offered a growing global workforce management system and platform as a service since 2022. Deel started three years later in 2019 and ironically was a Rippling customer until 2023 before Deel needed to terminate the contract out of competitive concern. That same year (2023), the spy was unknowingly hired by Rippling as a Global Payroll Compliance Manager due to his extensive and credible background per the court filings.
Rippling, like many companies, dedicates considerable resources to identifying potential customers and communicating their value proposition to them. For years, Rippling generated a tremendous amount of data about what marketing and sales efforts were working and why. This data then steered how the company adapted its products and messaging.
In addition to the sales databases capturing customer information and activities in Salesforce, the company stored “Competitive Intelligence Cards” and other sensitive documentation about their respective competitors in a Google Drive repository.
This is a sampling of the ‘secret sauce’ Deel allegedly was after.
How to catch a spy?
Multi-cloud visibility
Rippling has many sources of data including the internal messaging application, Slack; a Salesforce database containing confidential information about current and prospective customers; a Google Drive repository; an HR system with names, addresses, and personal cell phone numbers for Rippling employees; and Gong for transcribing sales calls and storing those notes in Slack.
The filing states that the alleged spy accessed all the above data stores, but there are likely more. Rippling had seemingly no way of monitoring, alerting, or proactively mitigating access risks or posture across the disparate cloud systems. We can assume this because the company needed to hire an “investigative firm to determine the extent and scope of the intrusion” and a “cybersecurity vendor to identify how Deel was able to exploit Rippling’s systems.”
This is not new —many organizations lack comprehensive visibility of their sensitive data throughout the environment, who has access to it, and how that access is changing over time in each one of these data stores.
A single platform like Salesforce, can have 75+ permission sets with varying degrees of entitlements and over 30 user profiles out of the box. Most often an organization will have 2-5 times that amount within several years.
Manually managing and reviewing each user's access individually for Slack, Salesforce, Google Workspace, and more is not scalable and is likely impractical. Therefore, organizations require an automated platform to manage permissions at scale. It’s also important to have a single pane of glass to see sensitive data access along with permissions and entitlements throughout the environment.
Integrated identity security and data security
The primary form of data protection for Rippling cloud systems and applications was “various authentication methods,” or MFA. Once authenticated and authorized to the application or system, the spy and other users could discover data, join groups and channels, download information locally, and distribute it “via electronic mail and/or other electronic means”.
Most data threat actors are logging in rather than breaking in, and an insider threat or spy is a perfect example of this. Therefore, organizations must rely on a data security platform (DSP) that is fully integrated with their identity provider, like Microsoft Entra ID and Okta, and captures information about local identities in Salesforce and Slack.
The spy was able to preview many channels without joining them. With a complete DSP connected to each user's identity fabric, organizations can capture both event types (preview and join) and see spikes like the ones below from Rippling's court filing.
User Behavior Analytics
The spy held a role in payroll operations for one year and five months, conducting mostly normal data access until November 2024. Then, during a four-month tear, he completely altered his access behavior towards sales, marketing, and competitive resources — not payroll operations. Below is a short list of the changed behaviors:
- Searched terms abruptly out of nowhere and with increased frequency
- Searched terms and accessed resources not connected with his job, role, or duties
- Increased access to channels and groups “orders of magnitude greater than he had before”
- Viewed or downloaded information about Rippling’s existing customers on more than 600 occasions in four months
Security teams are historically unable to reason over and prioritize the magnitude of alerts and events coming at them. User Behavior Analytics (UBA) within a DSP can help detect, highlight, and take action on anomalous behavior. The quicker an organization is able to correlate changes in behavior, the faster it is able to reduce the dwell time of the actor — in this case a spy with brazen espionage activity over four months.
Data activity on endpoints
A data breach can involve multiple data systems, identity and access vulnerabilities, and anomalous user behavior as discussed. Yet, there also can be signs of a breach coming from endpoint telemetry.
In the case of the spy at Rippling, his most common tactic followed three steps:
- Search for sensitive data through the Slack and Salesforce mobile applications on a personal phone
- Once a target source (such as a channel in Slack) was identified, download the sensitive data or lists on a work computer
- Send downloaded files to external parties through personal email or messaging
If users can access information on mobile applications or take actions such as downloading, printing, and emailing from their various endpoints — organizations need technical solutions to monitor these events or control when they can occur. Many endpoint security solutions can detect malicious files like ransomware and executables but not improper use of sensitive data.
Who will lose in this lawsuit?
Ultimately, the employees and customers from both organizations will lose. There are thousands of employees facing potential job loss or uncertainty because of this lawsuit (before and after), and tens of thousands of customers are now having to consider migrating their HR and financial systems unexpectedly in the middle of a fiscal year for most.
Additionally, company resources like finances and leadership focus will be drawn towards these legal matters instead of innovation, customer success, and employee well-being at both firms. Penalties may be paid, and an Irish spy may spend time in prison, but insider threats can affect a blast radius that far exceeds punitive damages.
For this reason, organizations should consider an internal or external risk assessment focused on data and access within each system. If you wait for a breach or incident to happen, it’s already too late. Don’t let an incident of this magnitude prompt an assessment. Risk assessments should include technologies and mitigations, but also a review of policies and procedures for employees to notify of odd behavior.
Simply put, see something, say something.
