KiranaPro, an Indian grocery delivery startup, recently faced a perplexing data loss incident that has left many questions unanswered. The Bengaluru-based company is grappling with whether the breach was an internal mishap or an external hack, and the details remain murky.
Last week, KiranaPro discovered it couldn’t access its backend servers, and its entire data—including app code stored on GitHub—had vanished. Initially, the company pointed fingers at a former employee, blaming them for the breach. However, in an interview, CEO Deepak Ravindran admitted that the company had not deactivated the employee’s account after their departure, raising concerns about potential malicious activity.
“We need to conduct a thorough forensic investigation,” Ravindran explained. “We’re discussing this with our board, investors, and legal advisors to get a formal opinion.”
On the same day, Ravindran posted on X (formerly Twitter) asserting that the breach was internal. “After careful investigation, we conclude that this was not a hack,” he stated. “No external party penetrated our ordering or payment systems, exploited vulnerabilities, or bypassed security protocols.” He also shared a screenshot of a former employee’s LinkedIn profile, alleging that they had deleted the startup’s code. However, concrete proof backing these claims has yet to surface.
Ravindran emphasized that the breach resulted from actions taken by a trusted internal employee with legitimate access: “This individual intentionally deleted critical server logs while testing or editing, which goes against our policies and trust in our team.” When asked whether third parties might have exploited the former employee’s account, Ravindran couldn’t rule it out, citing the need for a comprehensive forensic check.
The basis for Ravindran’s allegations was a GitHub response he shared, which listed a username associated with the former employee as the one responsible for deleting the code. Notably, KiranaPro did not fully offboard the employee’s account after their departure, raising concerns about security gaps.
KiranaPro, launched in late 2024, operates as a buyer app on India’s Open Network for Digital Commerce. Serving over 55,000 customers across 50 cities, the platform allows users to buy groceries from local shops and supermarkets using voice commands in multiple languages, including English, Hindi, Malayalam, and Tamil.
Ravindran explained that the company’s decision to publicly accuse the former employee was rooted in their “belief system,” believing the individual deleted data after a sudden termination. However, the startup admits it lacked adequate protections on the employee’s devices, such as multi-factor authentication, which could have prevented unauthorized access.
The company also confirmed that it failed to revoke the employee’s access to its GitHub and other systems upon their departure. This oversight was attributed to the absence of a full-time HR team, as confirmed by CTO Saurav Kumar.
In addition to losing code, KiranaPro’s AWS account—housing customer data and transaction details—was compromised. Fortunately, Ravindran stated that the startup managed to restore its GitHub code from a backup provided by an employee and regained access to its AWS account. Both Ravindran and Kumar confirmed that AWS was protected by multi-factor authentication, but they are still investigating how the breach occurred, especially since Ravindran’s phone, which generates MFA codes, was not physically accessible to others.
Importantly, Ravindran assured that customer data stored on AWS was intact and not accessed or downloaded by any unauthorized parties. “If there had been any access, I would be notified via email,” he noted.
Despite the ongoing investigation, KiranaPro is contemplating filing a formal police complaint. The startup is also facing internal challenges, as it has not yet fully paid its employees following a recent seed funding round of ₹100 million (approximately $1.2 million). The round was led by notable investors like Blume Ventures, Unpopular Ventures, and Turbostart, with angel investors including Olympic medalist PV Sindhu and Vikas Taneja of Boston Consulting Group. The company employs 15 staff across Bengaluru and Kerala.
As KiranaPro navigates this complex situation, the incident underscores the critical importance of robust security protocols, thorough employee offboarding, and proactive data management in the digital age.
