The latest data loss problem at Indian grocery delivery service KiranaPro has more flaws than Swiss cheese because the company is still unsure if it was an external intrusion or an inside breach.
The Bengaluru-based firm learned last week that all of its data, including its app code, had been erased from GitHub and that it was unable to access its back-end servers. On Friday, the business attributed the hack to a former employee. Deepak Ravindran, the CEO and co-founder of KiranaPro, said in an interview that the company had not terminated the employee’s account after they left and that it was unable to completely rule out the prospect of further malicious account exploitation.
“We must do a thorough forensic examination if we dig farther. We will discuss [this] with our board, investors, and legal advisors, Ravindran told TechCrunch. We will also obtain a formal opinion on the matter.
In a post on X earlier on Friday, Ravindran asserted that the event affecting company data was an inside hack.
“After thorough examination, we have determined that this was not a hack. No outside entity circumvented security measures, exploited weaknesses, or gained access to our ordering or payment systems,” he stated.
Additionally, on Thursday, the cofounder publicly posted a screenshot of a former employee’s LinkedIn page on X, claiming that the former employee had erased the startup’s code. (TechCrunch is not providing the link to the post since the startup has not yet provided hard evidence to back up its claims.)
An internal data leak occurred. In particular, it was caused by the activities of a reliable internal staff member who had authorized access to our systems,” the co-founder stated in his Friday post.”This person willfully erased important server logs during testing and/or editing, which is strictly against our policies, our values, and the confidence we have in our team.”
Ravindran was unable to respond to TechCrunch’s question about whether KiranaPro could rule out the possibility that a third party had hacked into the former employee’s account.
“We must conduct a thorough forensic investigation into the business. The complete IP scan must be completed. We must examine the location of the tracks. We must inspect the MacBooks, PCs, and other devices in use. Everything must be completed. After that, we would have to spnd money, therefore we chose not to,” he told TechCrunch.
What, then, was Ravindran’s accusation based on? He shared a copy of the GitHub response with TechCrunch.
According to Ravindran, the username contained in the response was connected to the former worker.
“All we have are the emails we received from GitHub confirming that [the former employee’s username] terminated the account on their own. We have not carried out any additional research,” Ravindran told TechCrunch.
Former employee’s account was never offboarded
KiranaPro, a buyer app on the Indian government’s Open Network for Digital Commerce, was introduced in late 2024. Through its voice-based interface, the firm enables over 55,000 clients in 50 locations to buy food from surrounding supermarkets and small stores. Additionally, the business accepts input in Tamil, Hindi, Malayalam, and English.
According to Ravindran, the company’s “belief system” led them to decide to call out the former employee since they believe the person erased the data following their abrupt layoff.
But according to the business, it is unsure if the former employee’s devices have appropriate security measures in place, such multi-factor authentication, to prevent viruses and other harmful third parties from accessing them.
The business acknowledged that once the employee left, it did not deny him access to its data or GitHub account.
Saurav Kumar, the chief technology officer at KiranaPro, told TechCrunch that the lack of a full-time HR department meant that employee offboarding was not being handled correctly.
Company restores AWS account and GitHub data
KiranaPro lost access to its Amazon Web Services (AWS) account, which contained client information and transaction records, in addition to the code it had stored on GitHub.
After obtaining a backup from one of their staff members, Ravindran informed TechCrunch that the GitHub data had been restored. Along with its client data, the firm was also able to access its AWS account again.
Since no one else had physical access to Ravindran’s phone, which generates the multi-factor code, neither the co-founder nor the CTO could disclose how the AWS account was accessed, despite both stating that it was secured by multi-factor authentication.
Ravindran asserted, however, that the client data kept in the AWS cloud was unaltered, unaccessed by outside parties, and not downloaded by the former employee in question.
“Because if that is the case, I will be notified via email or something,” he stated.
The startup has sufficient proof, according to Ravindran, to formally complain to the authorities, but the inquiry is still underway.
The startup has also not fully paid its current employees, the company’s co-founder confirmed, soon after the company raised a seed round of ₹100 million Indian rupees (about $1.2 million), which Ravindran said has yet to be fully wired.
In addition to Olympic medalist PV Sindhu and Boston Consulting Group managing director Vikas Taneja, the firm has institutional venture backers Blume Ventures, Unpopular Ventures, and Turbostart. It employs 15 people in Kerala and Bengaluru.
Leave feedback about this