🤯 Rippling Sues Deel for Corporate Espionage!
Perhaps the most insane SaaS story in a long time. Is Deel's CFO (who is the CEO's father) implicated in the espionage?
Today’s Sponsor: NetSuite
An array of ever-changing regulations, technologies, and trends have CFOs wondering: What do I need to prioritize this year to set my team and company up for success? We’ve got you covered with 25 actionable ideas to help CFOs dive into 2025 without missing a beat.
Rippling Sues Deel
Rippling ($14B HR company) just filed a lawsuit accusing Deel ($12B HR Company) of corporate espionage, trade-secret theft, and cultivating a spy within Rippling.
And you thought SaaS was boring?!?! Netflix documentary coming soon?
If the accusations in the lawsuit are true then this is one of the most insane things to happen in the software world:
Creating a spy at a competitor
Spy steals TONs of competitive information
Rippling creates a “honeypot” trap to prove that top leadership was involved
Spy cries in the office bathroom when confronted, tries to flush his phone down the toilet, and then runs away (and now faces imprisonment in Ireland)
Let’s dig into this insane story…
*Note - these are allegations from Rippling’s lawsuit and the story is still unfolding. So far it is only being told from Rippling’s point of view so we need to wait before making too many judgements, but the evidence is pretty compelling.
Catching a Spy
According to the lawsuit, Deel cultivated a Rippling employee to conduct thousands of suspicious searches and funnel stolen confidential business intelligence directly back to Deel.
Per the lawsuit, the Deel spy (Rippling employee) used Rippling systems to steal all kinds of confidential information:
Sales data to get unfair competitive advantage on sales prospects
Data on Deel’s own customers that might be switching to Rippling
Pricing and other customer retention data
Internal employee contact information (to poach Rippling talent)
And other confidential data relevant and helpful to Deel
Unusual Activity
The spy searched the term “Deel” in the competitor’s systems on average 23 times a day over a four month period, which allowed the spy to comprehensively capture every detail of Rippling’s sales pipeline competing with Deel, including proposed pricing, details of sales meetings and conversations between Rippling and prospective customers evaluating a switch away from Deel, and training materials for Rippling’s sales organization on how to compete against Deel.
The Deel spy had been employed at Rippling since June 2023 but only started searching “Deel” within Rippling’s Slack in November of 2024. And he searched it A LOT since that time…Perhaps an indication on when he became a Deel spy.
The other obviously suspicious activity of the spy is the number of times he “previewed” various company Slack channels that he had no businesses viewing. Slack allows users to “preview” a Slack channel without joining it. The reason to only preview the channel is because if you join a Slack channel the Slack channel members are alerted of the new person that joined. And since the spy had no business being in those channels the spy didn’t want to trip any alarms by joining the channels.
He previewed a lot of channels….
I was surprised that Rippling was able to get this level of information from Slack analytics, but turns out that typically companies don’t have this level of detail. Rippling worked with Salesforce.com (Slack’s parent company) to run these searches on their logs.
The “Honeypot” Trap
All of the spy’s unusual online activity/searches in Rippling databases raised red flags for Rippling’s security team. After the security team continued to dig, it likely became clear what was going on.
But the big question for Rippling was how high up at Deel did the espionage go?
It is one thing to prove that someone like a sales rep at Deel is stealing secrets, but a REALLY huge deal if they can prove that Deel’s top leadership was involved.
This is where the investigation turned into a Netflix-style investigation crime documentary. Rippling set up a “honeypot” to prove how high up the espionage within Deel went.
Honeypot = a decoy system designed to attract and trap cyber attackers, allowing security professionals to catch the spies without endangering real systems.
Rippling crafted a letter that was sent to Deel that referenced an empty Slack channel in Rippling’s corporate Slack instance called “d-defectors,” and implied the Slack channel contained messages that Deel would find embarrassing if made public.
The letter was sent to only three people at Deel:
Phillipe Bouaziz, the chairman of Deel’s board, CFO, General Counsel
Spiros Komis, Deel’s Head of US Legal
Deel’s outside counsel
No one knew about the Slack channel except for Rippling’s investigation team and those three Deel leaders.
But…within hours of sending the letter, Deel’s alleged spy inside of Rippling searched for this empty and never-before-used Slack channel. This in theory proves that Deel’s top executives or its legal representatives (or people very close to them) were running the covert espionage operation.
Confronting the Alleged Spy
Rippling got a court order from Ireland (where spy was located) to obtain the spy’s phone for further evidence. When the court-appointed solicitor confronted the spy, the spy ran to the bathroom and refused to turn over his phone.
When told he must give up his phone (and not delete anything) or he will be imprisoned the spy said the following and then ran away:
I’m willing to take that risk [of violating the court order] — alleged spy
Not really the actions of an innocent person…
Important Lessons
Good security teams are critical
The majority of companies probably would not have caught this. Or it would have taken much longer. Kudos to Rippling’s security team for uncovering it. Don’t neglect mission critical functions like your security team. When things are going well, you never hear of issues but that doesn’t mean they aren’t stopping potentially big problems.
Security and IT are watching…
Don’t do stupid stuff like this. You will probably get caught (eventually). The tools for monitoring employee activity are REALLY good and getting better. Your management team may be getting reports of all your activities (I know a lot of companies that do this).
My ethics test is the following:
How would I feel if my actions were reported on the front page of the newspaper?
CFO being the CEO’s father will NEVER be a good idea
Regardless of the outcome of this investigation, having the CEO’s father be the CFO is a REALLY bad idea. I am actually really surprised that their investors allowed that to continue as long as they have (Deel currently a $13B company).
Cost of corporate espionage can be HUGE
It’s not something we talk about a lot because it happens so infrequently (at least it isn’t caught that often), but there are some potentially massive costs for this type of alleged espionage.
Some of the big costs include the following:
Significant lost of employee time/attention in investigation and the aftermath
Lost employees from competitor stealing top talent
Lost sales competitive advantage. Deel allegedly stole lots of important information pertaining to sales to new customers and retaining existing Rippling customers. Lost SaaS ARR is massively expensive (read my unit economics post)
Lost new business
Increased churn
More pressure on Rippling pricing due to the unfair advantage that Deel obtained
Cost of hiring an investigative firm, attorneys, etc
What Happens Next?
The ball is now in Deel’s court. Rippling provided A LOT of evidence so Deel must now respond.
Rippling is not yet able to prove conclusively that Deel execs (like the CFO) were directly involved. It only seems very likely that someone high up within Deel was involved given the evidence found in the honeypot trap.
Next steps are probably something like this:
Deel to hire own investigation team. Deel will conduct its own internal investigation to determine what (if any) wrongdoing occurred and who was involved. They must do this given the evidence and the lawsuit.
Place certain executives on leave? Like I said before, a CFO being the CEO’s father is a very sketchy corporate governance practice. Regardless of whether the CFO is innocent or not, I would put him on leave until the investigation is over. And maybe other leaders depending on what else Deel knows. And if I was the board, I would have the CFO (CEOs father) removed from his position either way because of the appearance and possibility for something else to go wrong because of the relationship.
The legal process happens. Deel has a certain amount of time to respond, then there is a discovery phase, legal battles, etc.
This legal process can take a long time, but given the evidence and very public nature of the lawsuit, Deel will need to move fast because now it is going to be very damaging to Deel’s business.
Final Thoughts
Again, these are all alleged crimes as of right now. While there is VERY strong evidence that there is wrongdoing, we don’t know exactly who was involved yet.
Here are a few final thoughts:
B2B SaaS is never worth going to jail over. It’s a slippery slope so don’t ever toe the line.
Strong corporate governance is critical (including the appearance of it). Regardless if the CFO was involved or not, I wouldn’t trust a company whose CFO is the CEOs father.
Good job Rippling security team! Luckily very few security teams have a high-profile breach like this, but Rippling’s security seemed to have been on top of the issue. I suspect many companies would have never caught this or it would have taken a lot longer.
Bonus: Best Rippling Lawsuit Memes
Footnotes:
Check out these 25 actionable ideas for CFOs in 2025 from NetSuite
Check out OnlyExperts to find offshore accounting resources. They have some amazing talent for 20% the cost of a U.S. hire
The former litigator in me can’t wait to see Deel’s response. 🍿
And like you said — a good security team is key! 👏👏👏
Wow... thanks for the rundown!