Insider threats have become one of the most damaging and complex security risks organizations face today. Throughout 2025, several high-profile incidents showed how both malicious insiders and unintentional mistakes can bypass traditional controls, disrupt operations, and expose sensitive data.

Major Insider Incidents in 2025

• Rippling vs. Deel: Corporate Insider Spy Operation (March 2025)

Rippling accused competitor Deel of placing an insider within its workforce.
A Global Payroll Compliance Manager accessed confidential files across Slack, Salesforce, and Google Drive for months.
The case escalated into a legal dispute, marking one of the year’s most striking examples of corporate espionage via insider placement.

• Slater & Gordon: Leaked Salaries & Internal Emails (Feb 2025)

A former employee deliberately leaked internal emails revealing staff salaries, performance ratings, and strategic discussions.
 The attacker targeted select internal teams while intentionally avoiding leadership and IT.

• Coinbase: Social Engineering on Privileged Support Contractors (May 2025)

Advanced social engineering tactics, including SMS impersonation and phone manipulation, tricked outsourced customer-support contractors into granting unauthorized access.
Sensitive internal security data and customer information were exposed.

• Coca-Cola Gulf: Employee Documents Posted Online (May 2025)

The Everest hacking group released passport scans, visa documents, labor cards, and internal correspondence from Coca-Cola’s Gulf operations.  Screenshots of executive and employee data circulated widely on the dark web.

• UK Special Air Service (SAS): Accidental Exposure of Personnel

A routine regimental magazine mistakenly included names and deployment details of SAS personnel.
Once published online, the unintended disclosure posed significant national security risks.

• CrowdStrike: Employee Caught Leaking Internal Screenshots (Nov 2025)

CrowdStrike terminated an employee for attempting to share internal screen captures with hackers after they were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors.
While systems remained secure, the potential exposure and malicious intent led the company to involve law enforcement.

What we learned from 2025 Insider Incidents

The incidents reported throughout 2025 offer a clear view into how insider risks unfold in real environments. They help organizations better understand the reality of insider behavior and identify where controls, processes, and awareness must evolve.

1. Malicious insider activity is real and increasingly strategic

Deliberate infiltration, privilege misuse, and insider-enabled espionage are not rare and isolated events.

2. Offboarding gaps remain one of the biggest vulnerabilities

Delayed privilege revocation continues to enable sabotage, data theft, and unauthorized access after employees leave.

3. Privileged users and contractors are the most exposed

Attackers increasingly target individuals with elevated access through social engineering and credential abuse.

4. Visual leaks are now a dominant insider method

Screenshots, recordings, and photos of screens bypass many controls, raising the need for traceability measures like screen watermarking.

5. Human error and negligence still drive a large share of incidents

Accidental disclosure, mishandled documents, and careless data handling remain major sources of insider-related breaches.

The insider incidents of 2025 make one thing clear: the greatest risks often come from those with legitimate access, whether through malicious intent, manipulation by external actors, or simple human mistakes. As organizations continue to rely on distributed teams, contractors, and high-velocity digital workflows, insider exposure will only grow more complex.

Want to learn how DataPatrol helps organizations mitigate these threats?