After its data was wiped, KiranaPro’s co-founder cannot rule out an external hack
The recent data loss incident at Indian grocery delivery startup KiranaPro has raised questions about whether it was due to an internal breach or an external hack. Initially, the Bengaluru-based startup attributed the incident to a former employee. However, KiranaPro’s co-founder and CEO, Deepak Ravindran, has now conceded that the company did not deactivate the employee’s account after their departure and cannot rule out the possibility of subsequent malicious misuse.
Last week, KiranaPro discovered that it could not access its back-end servers, and all its data, including its app code, had been deleted from GitHub. Ravindran acknowledged the need for a thorough forensic investigation, stating, “If we go deeper, we have to do a real forensic investigation. We are going to talk [about] this with our board, the investors, and we are going to get a formal opinion on that also with our legal advisers,” he told TechCrunch.
Despite initially claiming on X (formerly Twitter) that the incident was an internal breach, Ravindran’s statements have become less definitive. He had previously stated, “After careful investigation, we conclude that this was not a hack. No external party penetrated our ordering or payment systems, exploited vulnerabilities, or bypassed security protocols.”
Ravindran even shared a screenshot of a former employee’s LinkedIn profile, alleging their involvement in deleting the startup’s code. However, when questioned by TechCrunch about the possibility of a third party gaining access to the former employee’s account, Ravindran admitted he could not rule it out.
“We have to do a complete forensic check on the company. We have to do the entire IP scan. We have to look at where the tracks happened. We have to check the computers, MacBooks, and whatever is used. Everything has to be done. Then we have to spend money … so, that’s why we decided not to,” Ravindran explained.
Ravindran stated that the basis for his allegation was a GitHub response indicating the former employee’s username was associated with the deletion. “All we have is the emails that we got from GitHub, stating that [the former employee’s username] as an individual is the one who deleted the account. We haven’t done the investigation further,” he said.
Launched in late 2024, KiranaPro operates on the Indian government’s Open Network for Digital Commerce, enabling customers to purchase groceries from local shops. Ravindran justified calling out the former employee based on the company’s “belief system,” claiming the employee deleted the data after their termination. However, the company admitted it lacked sufficient security measures, such as multi-factor authentication, on the former employee’s devices and did not remove the employee’s access to its data and GitHub account after their departure.
CTO Saurav Kumar confirmed, “Employee offboarding was not being handled properly because there was no full-time HR.”
In addition to the GitHub data, KiranaPro also lost access to its Amazon Web Services (AWS) account. Ravindran stated that the GitHub data was restored from a backup, and access to the AWS account was regained. While the AWS account was supposedly protected by multi-factor authentication, the means of unauthorized access remains unclear.
Ravindran claimed the customer data in the AWS cloud remained intact. Despite the uncertainties, Ravindran indicated that the startup has enough evidence to consider filing a police complaint and that its investigation is ongoing. He also confirmed that the company has not fully paid its current employees, despite recently raising a seed round of ₹100 million Indian rupees (approximately $1.2 million).
