After its data was wiped, KiranaPro’s co-founder cannot rule out an external hack

The recent data loss incident at KiranaPro, an Indian grocery delivery startup, has raised numerous questions about the security of its systems. The Bengaluru-based company found itself unable to access its back-end servers last week, discovering that crucial data, including its app code, had vanished from GitHub. KiranaPro has pointed fingers at a former employee, claiming responsibility for the breach. However, co-founder and CEO Deepak Ravindran acknowledged in an interview that the company failed to deactivate the employee's account after their exit, leaving the door open for potential misuse. "If we go deeper, we have to do a real forensic investigation. We are going to talk to our board, the investors, and we are going to get a formal opinion on that also with our legal advisers," he explained. Initially, Ravindran asserted in a social media post that the data loss was an internal issue rather than a hack. He stated, "After careful investigation, we conclude that this was not a hack. No external party penetrated our ordering or payment systems, exploited vulnerabilities, or bypassed security protocols." He even shared a screenshot of a LinkedIn profile of the alleged former employee, claiming they deleted vital company code. Despite these assertions, when asked if any third party could have accessed the former employee's account, Ravindran admitted they could not conclusively rule it out. He emphasized the need for a comprehensive forensic investigation, which would involve scrutinizing the company's digital footprint and employee devices. Ravindran's allegations were based on a response from GitHub, which indicated that the former employee's account was linked to the deletion. However, he noted that the investigation had not progressed significantly, stating, "We haven't done the investigation further." Founded in late 2024, KiranaPro operates as a buyer app on the Indian government’s Open Network for Digital Commerce, serving over 55,000 customers across 50 cities. The app allows users to purchase groceries through a voice-based interface, accommodating various local languages. Ravindran's decision to accuse the former employee stemmed from the belief that the data deletion occurred after their termination. However, the company has not confirmed whether adequate security measures, such as multi-factor authentication, were in place on the employee's devices to prevent unauthorized access. The startup has confirmed that it not only lost access to its GitHub repository but also to its Amazon Web Services (AWS) account, which contained sensitive customer data and transaction records. Fortunately, Ravindran stated that they managed to restore data from GitHub through backups from another employee and regained access to their AWS account, which was reportedly protected by multi-factor authentication. Despite these challenges, Ravindran assured that customer data in the AWS cloud remained secure and had not been compromised. He indicated that the startup has collected sufficient evidence to file a police report, although their internal investigation is still ongoing. Additionally, KiranaPro has faced financial strain, with current employees not yet fully compensated following a recent seed funding round of ₹100 million (approximately $1.2 million). The startup has garnered support from several institutional investors, including Blume Ventures and Turbostart, and has notable angel investors such as Olympic medalist PV Sindhu. With 15 employees stationed in Bengaluru and Kerala, the company is navigating a tumultuous period while striving to secure its operations and reputation.