After Data Wipe, KiranaPro’s Co-founder Can’t Rule Out External Hack

The recent data loss incident at Indian grocery delivery startup KiranaPro has raised questions regarding the security and handling of its data. Initially, the company pointed fingers at a former employee; however, co-founder and CEO Deepak Ravindran now admits that the possibility of an external hack cannot be ruled out. This revelation adds complexity to the situation, prompting a deeper investigation into the actual cause of the data breach.

Last week, KiranaPro discovered they could not access their back-end servers, and all their data, including app code, was deleted from GitHub. Ravindran initially attributed the breach to a former employee. In an interview with TechCrunch, Ravindran conceded that the employee’s account was not deactivated after their departure, leaving room for potential misuse.

Ravindran stated, “If we go deeper, we have to do a real forensic investigation. We are going to talk [about] this with our board, the investors, and we are going to get a formal opinion on that also with our legal advisers.”

In a post on X, Ravindran claimed, “After careful investigation, we conclude that this was not a hack. No external party penetrated our ordering or payment systems, exploited vulnerabilities, or bypassed security protocols.” However, this statement contradicts his later admission about the uncertainty surrounding external access.

When asked if KiranaPro could definitively rule out the possibility of a third party gaining malicious access to the former employee’s account, Ravindran admitted they could not. “We have to do a complete forensic check on the company. We have to do the entire IP scan. We have to look at where the tracks happened. We have to check the computers, MacBooks, and whatever is used. Everything has to be done. Then we have to spend money… so, that’s why we decided not to,” he explained.

The basis for Ravindran’s initial allegation was a GitHub response indicating that the former employee’s username was associated with the data deletion.

KiranaPro, launched in late 2024, operates on the Indian government’s Open Network for Digital Commerce, facilitating grocery purchases from local shops via a voice-based interface. The startup serves over 55,000 customers in 50 cities and supports multiple languages.

According to Ravindran, the decision to publicly accuse the former employee was based on the company’s “belief system,” claiming the employee deleted the data after a sudden termination. However, the company admitted that they were unaware of the security measures in place on the former employee’s devices, such as multi-factor authentication.

CTO Saurav Kumar acknowledged that “Employee offboarding was not being handled properly because there was no full-time HR.”

Besides GitHub data, KiranaPro lost access to its Amazon Web Services (AWS) account, which contained customer data and transaction details. While the GitHub data was restored from a backup, the AWS account was also recovered.

Ravindran claimed that the customer data stored in AWS remained intact and was not accessed by third parties. He stated the company had enough evidence to file a formal complaint with the police, and the investigation is ongoing.

Adding to the startup’s woes, KiranaPro has yet to fully pay its current employees, despite raising a seed round of ₹100 million Indian rupees (approximately $1.2 million).