.png){kind=small}
Even the most security-conscious companies aren’t immune to insider threats. The latest example comes from Palantir Technologies - one of the most sophisticated data analytics firms in the world - which is now suing two former employees for allegedly stealing the company’s “crown jewels” before leaving to start a competing business.
Today’s greatest security risks often don’t come from the outside - they come from within. Modern work happens across SaaS apps, shared workspaces, and cloud platforms, and when sensitive data can move with a single click, even trusted employees can become vectors of exposure.
The Palantir case shows how easy it can be for proprietary data to leave the organization undetected - through collaboration tools as common as Slack.
If a company like Palantir can face this kind of breach, any organization can.
What Happened at Palantir?
According to a lawsuit filed this week in Manhattan federal court, two former Palantir employees - Radha Jain and Joanna Cohen - are accused of taking a cache of highly confidential company documents right before resigning.
The complaint claims the two were entrusted with proprietary source code and customer information, and violated agreements to protect that data.
Palantir alleges that one of the two employees sent those sensitive files from her company Slack workspace to a personal Slack account the day before resigning - a seemingly small action with massive implications.
The data was then allegedly used to help form a rival AI analytics startup called Percepta.
Within months of its founding, Percepta reportedly hired at least ten former Palantir employees, and nearly half of its workforce now consists of former Palantir staff, including its co-founder and CEO, Hirsh Jain.
While Percepta itself isn’t named as a defendant, the lawsuit accuses Jain and Cohen of breaching non-compete and confidentiality agreements, seeking to compel them to comply.
Why Insider Risk Is Everyone’s Problem
What makes the Palantir case so compelling isn’t just the lawsuit - it’s the pattern.
Two trusted insiders, with legitimate access to sensitive systems, allegedly walked away with the company’s most valuable assets. No advanced malware. No external hacker. Just human behavior and unmonitored access through a common SaaS app.
This is the modern face of insider risk.
In every organization, there’s a constant stream of employees, contractors, and partners accessing and sharing information. Most of them are doing exactly what they should be - collaborating, communicating, building. But it only takes one moment of poor judgment, curiosity, or malicious intent for that collaboration to turn into exposure.
Insider risks generally fall into two categories:
- Malicious insiders - individuals who knowingly steal data or misuse their access for personal or competitive gain.
- Negligent insiders - those who unintentionally expose information by misconfiguring permissions, oversharing files, or using unauthorized third-party apps.
Both types of insider risk can cause real damage - especially in SaaS environments where data flows freely across dozens (or hundreds) of connected applications.
Traditional DLP tools and perimeter defenses weren’t built for this world. They can’t see when a departing engineer uploads confidential code to a personal Slack channel, or when a well-meaning employee accidentally grants “Anyone with the link” access to a sensitive customer file in Google Drive.
That’s why insider risk isn’t a Palantir problem - it’s everyone’s problem. Whether you’re a 10-person startup or a Fortune 500 company, data now moves faster than your ability to manually track it.
And, without visibility into who is doing what, where, and when across your SaaS stack, every company is one Slack message away from its own headline (and lawsuit!).
How Can Sensitive Data Be Exfiltrated via Slack?
Slack is where modern work happens - and increasingly, where data quietly escapes.
What makes the Palantir case particularly striking is how ordinary the exfiltration vector was: a simple file transfer over Slack.
No complex exploit. No network compromise. Just a trusted user moving sensitive files from a company workspace to a personal one, undetected.
This is the gray area where collaboration and security collide. Slack, Microsoft Teams, Google Drive, and other SaaS tools are designed for openness: to make it easier for teams to share, integrate, and move faster. But that same openness can make them blind spots for data protection.
Security teams often assume these tools are covered under legacy DLP or CASB policies. In reality, most don’t have granular visibility into how data moves inside SaaS environments - who’s sharing files externally, which channels contain sensitive content, or what information is being posted to unmanaged accounts.
The Palantir incident is a reminder that insider threats aren’t always the result of malicious code or stolen credentials. Sometimes, it’s a legitimate employee using a legitimate tool - just in a way that no one’s watching.
And when sensitive intellectual property can be moved with a drag and drop or a Slack message, prevention isn’t about restricting collaboration - it’s about introducing visibility, automation, and remediation guardrails that prevent data from leaving unnoticed.
{{cta-1}}
How DoControl Would Have Prevented This Insider Risk Incident
In the Palantir case, the alleged data theft didn’t require advanced hacking - it required opportunity.
A departing employee, still authenticated to corporate SaaS tools, was able to send proprietary files from a company Slack workspace to a personal account the day before resigning.
This is exactly the type of scenario DoControl was purpose built to prevent.
DoControl continuously monitors and analyzes user activity across SaaS applications - Slack included - to detect when data is being shared or moved in risky ways.
If a user attempts to send files from a corporate Slack environment to an external or personal domain, DoControl automatically detects and flags that behavior in real time.
Depending on policy, the platform can take proactive action:
- Alert security or IT teams immediately.
- Block the transfer outright before data leaves the organization.
Quarantine, revoke, and remediate external file access if sensitive content is detected.
But, the protection goes beyond one-off events. DoControl builds contextual awareness of user behavior for 24/7 protection.
For example, DoControl monitors for contextual behavioral baselines across all employees and users. When an event happens - like a burst download, or a sharing event to a personal account - this gets flagged as anomalous behavior. Then, a workflow sets off and the incident is remediated accordingly.
By pairing automation with policy intelligence, DoControl ensures that collaboration tools remain open and productive, without becoming unchecked exfiltration channels. It’s security that moves at the same speed as your SaaS environment.
In short? If Palantir had visibility into that Slack transfer - or automated controls to stop it - their “crown jewels” would never have left the building.
Turning Lessons into Action
It's incredibly unfortunate what happened in the Palantir insider case - but its important nonetheless to highlight just how common this really is.
It’s a harsh reminder that even the world’s most advanced companies can lose control of their most valuable data - not through an external breach, but through everyday tools and trusted employees.
Insider risk is a constant reality. The solution isn’t to limit access or slow innovation, but to create intelligent guardrails that keep data safe while enabling business productivity.
Organizations that invest in continuous visibility, automated controls, and proactive offboarding processes can prevent these scenarios before they happen. Because once sensitive data walks out the door, it’s not just a legal battle - it’s a loss of trust, reputation, and competitive advantage.
Modern security isn’t just about keeping attackers out. It’s about keeping your data in.
Sources:
Want to Learn More?
- See a demo – click here
- Get a FREE Google Workspace Risk Assessment – click here
- See our product in action – click here
