This is a fantastic example of applying deception strategies in practice as part of a detection & response plan. The most common use case is as a canary, but it absolutely works as evidence of compromise, too.
I won't comment on the specifics of the case (the complaint comes across as very convincing), but I will remind people that it's common for investigations to ostensibly show an employee doing bad things, when in reality it's e.g. that employee's credentials/devices that are compromised.
I linked to the press release because I know X links are frowned upon, but I think it doesn’t do the story justice.
Parker Conrad’s X thread is good: https://x.com/parkerconrad/status/1901615179718406276
Here’s the full complaint: https://rippling2.imgix.net/Complaint.pdf