Indian grocery delivery startup KiranaPro’s recent data loss story has more holes than Swiss cheese, as the startup remains unclear whether the incident was an internal breach or an external hack.
Last week, the Bengaluru-based startup discovered that it could not access its back-end servers and that all its data, including its app code, had been deleted from GitHub. The startup on Friday blamed a former employee for the breach. However, in an interview, KiranaPro co-founder and CEO Deepak Ravindran conceded that the company had not deactivated the employee’s account after they departed the company and cannot rule out the possibility of subsequent malicious misuse of their account.
“If we go deeper, we have to do a real forensic investigation. We are going to talk [about] this with our board, the investors, and we are going to get a formal opinion on that also with our legal advisers,” Ravindran told TechCrunch.
Earlier on Friday, Ravindran claimed in a post on X that the incident that affected its data was an internal breach.
“After careful investigation, we conclude that this was not a hack. No external party penetrated our ordering or payment systems, exploited vulnerabilities, or bypassed security protocols,” he wrote.
The co-founder also explicitly shared a screenshot of a LinkedIn profile of one of KiranaPro’s former employees on X on Thursday, alleging that they had deleted the startup’s code. (TechCrunch is not sharing the post’s link, as the startup has yet to offer concrete proof supporting its position.)
“[T]his was an internal data breach. Specifically, it was the result of actions taken by a trusted internal employee who had legitimate access to our systems,” the co-founder wrote in his post on Friday. “This individual intentionally deleted critical server logs while they were being tested and/or edited, an action that goes directly against our policies, our principles, and the trust we place in our team.”
When TechCrunch asked if KiranaPro could rule out whether any third party had maliciously gained access to the former employee’s account, Ravindran could not.
“We have to do a complete forensic check on the company. We have to do the entire IP scan. We have to look at where the tracks happened. We have to check the computers, MacBooks, and whatever is used. Everything has to be done. Then we have to spend money … so, that’s why we decided not to,” he told TechCrunch.
Then what was the basis of Ravindran’s allegation? It was a GitHub response, a copy of which he shared with TechCrunch.
The response included a username, which Ravindran said was associated with the former employee.
“All we have is the emails that we got from GitHub, stating that [the former employee’s username] as an individual is the one who deleted the account. We haven’t done the investigation further,” Ravindran told TechCrunch.
Former employee’s account was never offboarded
Launched in late 2024, KiranaPro operates as a buyer app on the Indian government’s Open Network for Digital Commerce. The startup allows more than 55,000 customers in 50 cities to purchase groceries from their local shops and nearby supermarkets using its voice-based interface. The company also supports local language inputs, including English, Hindi, Malayalam, and Tamil.
Ravindran stated that they decided to call out the former employee based on the company’s “belief system,” as they claim the former employee deleted the data after their sudden termination.
However, the startup said it is not aware if there were enough protections on the former employee’s devices, such as multi-factor authentication, to restrict malicious third-party access, like malware.
The company confirmed it did not remove the employee’s access to its data and GitHub account following his departure.
“Employee offboarding was not being handled properly because there was no full-time HR,” KiranaPro’s chief technology officer, Saurav Kumar, confirmed to TechCrunch.
Company restores AWS account and GitHub data
Alongside its code saved in GitHub, KiranaPro also lost access to its Amazon Web Services (AWS) account, which included its customer data and their transaction details.
Ravindran told TechCrunch that the GitHub data was restored after getting its backup from one of their employees. The startup also regained access to its AWS account along with its customer data.
Both the co-founder and CTO said the AWS account was protected by multi-factor authentication, but neither could say how the account was accessed, as nobody else had physical access to Ravindran’s phone, which generates the multi-factor code.
Nonetheless, Ravindran claimed that the customer data stored in the AWS cloud remained intact and was not accessed by any third parties, nor was it downloaded by the former employee in question.
“Because if that is the case, I will get its notification on email or anything [sic],” he said.
That said, Ravindran stated that the startup has enough evidence to file a formal complaint with the police, but said that its investigation is ongoing.
The startup has also not fully paid its current employees, the company’s co-founder confirmed, soon after the company raised a seed round of ₹100 million Indian rupees (about $1.2 million), which Ravindran said has yet to be fully wired.
The startup counts Blume Ventures, Unpopular Ventures, and Turbostart among its institutional venture backers, as well as Olympic medalist PV Sindhu and Boston Consulting Group managing director Vikas Taneja among its angel investors. It has 15 employees located in Bengaluru and Kerala.
