KiranaPro’s co-founder raises the possibility of an external hack following data loss.

By Posted on

KiranaPro Faces Data Breach Dilemma Amidst Uncertainty

Bengaluru-Based Grocery Delivery Startup Confronts Internal and External Investigation

In a troubling episode for KiranaPro, a grocery delivery startup based in Bengaluru, recent data loss raises critical questions about whether the incident stemmed from an internal breach or an external hack. The situation remains clouded as official statements and investigations unfold.

Incident Overview

Last week, KiranaPro encountered severe difficulties when it lost access to its back-end servers, resulting in the deletion of vital data, including application code hosted on GitHub. In response to the crisis, KiranaPro attributed the breach to actions by a former employee. However, co-founder and CEO Deepak Ravindran acknowledged an oversight; the company did not deactivate the former employee’s account following their exit, thereby leaving it vulnerable to potential misuse.

"If we go deeper, we have to conduct a comprehensive forensic investigation," Ravindran told TechCrunch. Discussions are planned with the company board, investors, and legal advisors to address the situation.

Clarifications on Internal Breach

In a post on X, Ravindran insisted that the breach was not the result of external hacking. “After a careful investigation, we conclude that there was no infiltration by any external party,” he stated. The CEO further claimed that the breach was strictly an internal matter, categorically attributing the deletion of critical data to a trusted ex-employee who had legitimate access.

Ravindran shared a LinkedIn profile screenshot of the individual implicated in the incident but noted that no concrete evidence has been provided to substantiate these claims.

Investigative Challenges

Amid ongoing inquiries, TechCrunch pressed Ravindran on whether external actors may have gained unauthorized access to the former employee’s account. He was unable to conclusively dispel this possibility, emphasizing the necessity for a thorough forensic examination of the company’s systems.

“We have to execute a comprehensive IP audit and check all devices used by our team,” Ravindran remarked.

The basis for his allegations stems from GitHub communications, which suggested the individual in question deleted the account. However, a full investigation has yet to be completed.

Company Background and Operational Impact

Founded in late 2024, KiranaPro operates a digital platform integrated with the Indian government’s Open Network for Digital Commerce. The platform enables over 55,000 users in 50 cities to conveniently purchase groceries from local vendors and supermarkets, using a voice-based interface that accommodates multiple languages like English, Hindi, Malayalam, and Tamil.

The confluence of events has raised alarm over the employee offboarding process. The chief technology officer, Saurav Kumar, admitted that proper offboarding procedures were not executed, attributing this shortcoming to the absence of a full-time Human Resources department.

Data Restoration Efforts

In a positive development, KiranaPro has reportedly restored its GitHub data from employee backups and regained access to its Amazon Web Services (AWS) account, which comprised essential customer information and transaction details.

While Ravindran assured that the AWS account was secured with multi-factor authentication, he could not clarify how the decision was made to regain access, given that he was the sole person with physical access to the device generating the authentication codes.

Despite these setbacks, Ravindran maintained that customer data within the AWS cloud remained secure and untouched by the former employee or any external entities. “If there was any breach, we would have received alerts,” he asserted.

Broader Implications

KiranaPro is also navigating operational challenges, including delayed payments to current employees following a recent seed funding round of ₹100 million (approximately $1.2 million). The company’s funding partners include various venture firms and notable angel investors, such as Olympic medalist PV Sindhu.

As the investigation continues, KiranaPro remains positioned at a critical juncture that will determine its operational security and future in the competitive grocery delivery market. The company is contemplating formal police action based on the evidence gathered so far but has yet to conclude its internal review.

As KiranaPro proceeds with its investigations and recovery efforts, the situation serves as a cautionary tale for startups regarding data security, internal protocols, and employee management.

Related posts: