KiranaPro Data Loss Raises Questions Over Internal Breach or External Hack

Indian grocery delivery startup KiranaPro recently faced a significant data loss incident that has left many questions unanswered. The Bengaluru-based company discovered it could not access its backend servers, and all its data, including app code stored on GitHub, had been deleted. The startup initially blamed a former employee for the breach but has not ruled out the possibility of an external hack due to incomplete offboarding procedures and lack of a thorough forensic investigation.

KiranaPro’s co-founder and CEO, Deepak Ravindran, stated that the company had not deactivated the former employee’s account after their departure, leaving the door open for potential malicious use. While Ravindran publicly claimed the incident was an internal breach caused by a trusted employee deleting critical server logs, he admitted that a full forensic investigation was not conducted due to cost and resource constraints. This ambiguity means the company cannot definitively exclude the possibility of an external party exploiting the former employee’s credentials.

The startup’s failure to properly offboard the employee was confirmed by its CTO, Saurav Kumar, who cited the absence of a full-time HR resource as a key factor. This oversight allowed the former employee’s GitHub and internal system access to remain active, which is a critical security lapse. KiranaPro also lost access to its Amazon Web Services (AWS) account, which contained customer data and transaction details, though this data was reportedly not compromised and was restored from backups.

Despite multi-factor authentication protecting the AWS account, the startup could not explain how access was regained without physical access to the CEO’s device generating the authentication codes. This raises concerns about potential vulnerabilities in their security protocols or insider knowledge. KiranaPro is currently considering filing a formal complaint with police but continues to investigate the incident internally.

Launched in late 2024, KiranaPro operates on the Indian government’s Open Network for Digital Commerce, serving over 55,000 customers across 50 cities with a voice-based grocery ordering app supporting multiple local languages. The incident highlights the challenges startups face in securing sensitive data and managing employee access as they scale rapidly.

This case underscores the critical importance of robust offboarding processes, continuous monitoring, and comprehensive forensic investigations in incident response. Without these, companies risk prolonged uncertainty and potential data exposure, which can erode customer trust and investor confidence.

For startups navigating rapid growth and complex security landscapes, KiranaPro’s experience is a cautionary tale. It highlights the need for integrating security best practices early, including multi-factor authentication, timely revocation of access rights, and readiness to conduct forensic audits when incidents occur.