Kiranapro Co-founder: Data Wipe Could Be Due to Hack
KiranaPro Data Loss: A Shifting Narrative
Recent reports surrounding data loss at Indian grocery delivery startup KiranaPro reveal inconsistencies, with the company struggling to definitively determine the cause of the incident – whether it stemmed from an internal security lapse or an external cyberattack.
Initial Discovery and Allegations
Last week, the Bengaluru-based company experienced a critical disruption, losing access to its back-end servers and discovering the complete deletion of its application code from GitHub. Initially, KiranaPro attributed the breach to a former employee.
However, CEO and co-founder Deepak Ravindran later acknowledged that the company had failed to deactivate the ex-employee’s account following their departure. This oversight raises the possibility of unauthorized access and malicious activity using the previously held credentials.
Forensic Investigation Pending
A comprehensive forensic investigation is now being considered. Ravindran stated the company will discuss the matter with its board of directors, investors, and legal counsel to obtain a formal assessment of the situation.
Earlier statements, published on X (formerly Twitter), initially characterized the incident as an internal breach, explicitly denying any external intrusion.
Contradictory Statements and Limited Evidence
Ravindran asserted that no external party had compromised their ordering or payment systems, exploited vulnerabilities, or circumvented security measures. This claim contrasts with the uncertainty expressed regarding the former employee’s account access.
KiranaPro publicly shared a screenshot of a former employee’s LinkedIn profile on X, suggesting their involvement in the code deletion. However, concrete evidence supporting this accusation has not yet been presented.
Internal Breach Claim and Server Log Deletion
The co-founder described the incident as an internal data breach, specifically attributing it to a trusted employee who intentionally deleted critical server logs during testing or editing. This action, he emphasized, violated company policies and the trust placed in its team.
Unresolved Questions Regarding Account Access
When questioned by TechCrunch, Ravindran conceded that KiranaPro could not definitively rule out the possibility of a third party gaining unauthorized access to the former employee’s account.
A full forensic audit, including an IP scan and examination of company devices, would be necessary to determine the full extent of the breach. However, Ravindran indicated that the cost associated with such an investigation led to a decision to postpone it.
Reliance on GitHub Response
The basis for the initial allegation against the former employee stemmed from a response received from GitHub. This response identified a username associated with the ex-employee as the entity responsible for the account deletion.
Ravindran confirmed that the company has not conducted further investigation beyond the information provided in the GitHub response, relying solely on the email notification indicating the former employee’s username was linked to the deletion.
Data Security Lapse: Former Employee Account Not Deactivated
KiranaPro, a buyer application functioning on India’s Open Network for Digital Commerce, began operations in late 2024. The platform currently serves over 55,000 consumers across 50 cities, enabling grocery purchases from local stores and supermarkets via a voice-activated system.
The application also provides support for multiple languages, including English, Hindi, Malayalam, and Tamil, catering to a diverse user base.
According to Ravindran, the decision to publicly address the incident involving the former employee stemmed from the company’s core principles. KiranaPro alleges that the individual intentionally deleted data subsequent to their abrupt dismissal from the company.
A significant security concern has been raised regarding the adequacy of safeguards on the former employee’s devices. The startup has acknowledged uncertainty about the presence of security measures like multi-factor authentication, which could have prevented unauthorized access from external threats, such as malware.
Confirmation has been provided that the employee’s access privileges to company data and the GitHub account were not revoked upon their leaving the organization.
Saurav Kumar, KiranaPro’s CTO, disclosed to TechCrunch that inadequate HR resources contributed to the issue. “Proper employee offboarding procedures were lacking due to the absence of a dedicated, full-time HR professional,” he stated.
Key Issues Identified
- Failure to promptly deactivate access to sensitive data.
- Lack of robust security protocols on employee devices.
- Insufficient HR infrastructure for effective offboarding.
These factors collectively created a vulnerability that potentially allowed for unauthorized data access and deletion.
Data Recovery Following Security Incident at KiranaPro
KiranaPro experienced a security breach resulting in the loss of access to both its GitHub repository and its Amazon Web Services (AWS) account. This AWS account contained critical information, including customer data and transaction records.
According to reports shared with TechCrunch, the company successfully recovered its code from a backup provided by a member of staff. Access to the compromised AWS account, along with the associated customer data, was also subsequently restored.
Account Security and Investigation
Despite the implementation of multi-factor authentication (MFA) on the AWS account, the method of unauthorized access remains unclear. Neither the co-founder nor the CTO could determine how the account was breached, noting that Ravindran’s phone – the MFA code generator – was not physically accessible to others.
Ravindran asserts that the customer data held within the AWS cloud was not compromised. He states there is no indication of unauthorized access or data download by the former employee implicated in the incident.
He further indicated that the company anticipates receiving notifications if any data breach had occurred, stating, “I will get its notification on email or anything [sic].”
An internal investigation is currently underway, and KiranaPro possesses sufficient evidence to pursue legal action by filing a formal police complaint.
Financial and Investor Details
The company is currently facing challenges with employee payroll. This situation arose shortly after securing a seed funding round of ₹100 million Indian rupees (approximately $1.2 million), which has not yet been fully transferred to the company.
KiranaPro’s investor base includes prominent venture capital firms such as Blume Ventures, Unpopular Ventures, and Turbostart. Additionally, the company has received investment from angel investors including Olympic medalist PV Sindhu and Vikas Taneja, a managing director at Boston Consulting Group.
The company employs a team of 15 individuals, distributed between Bengaluru and Kerala.
Related Posts
FTC Upholds Ban on Stalkerware Founder Scott Zuckerman
Google Details Chrome Security for Agentic Features
Petco Data Breach: SSNs, Driver's Licenses Exposed
Petco Data Breach: Customer Data Exposed - What You Need to Know
Intellexa Spyware: Direct Access to Government Espionage Victims
