The Bengaluru-based grocery delivery startup KiranaPro is facing intense scrutiny following a catastrophic data loss incident. Last week, the company discovered that its back-end servers were inaccessible and its entire app codebase had been purged from GitHub. While the startup initially pointed fingers at a former employee, leadership has now conceded that it cannot rule out an external hack due to critical failures in its offboarding processes.
Internal Breach or External Hack?
CEO Deepak Ravindran initially claimed on X that the incident was an “internal data breach,” alleging that a former staffer intentionally deleted critical server logs. However, the narrative shifted during subsequent interviews. Ravindran admitted that the company failed to deactivate the employee’s credentials after their departure, leaving a gaping hole in their security infrastructure.
When pressed on whether a third party could have hijacked the former employee’s active account, Ravindran acknowledged that the startup has yet to perform a formal forensic investigation. “We have to do a complete forensic check on the company. We have to do the entire IP scan,” Ravindran stated, noting that the company has not yet committed the resources required for such an audit.
Security Failures and Offboarding
The incident highlights systemic operational risks within the startup. CTO Saurav Kumar confirmed that proper employee offboarding was ignored due to the lack of a full-time HR department. Furthermore, the startup remains uncertain about whether the former employee’s devices were protected by multi-factor authentication (MFA), leaving the door open for potential malware or unauthorized third-party access.
The basis for the startup’s public accusations relies solely on a GitHub notification identifying the former employee’s username as the source of the deletion. Despite this, the company admits it has not investigated beyond these initial logs, leaving the definitive cause of the data wipe unproven.
Recovery and Financial Instability
KiranaPro has successfully restored its GitHub data from an employee backup and regained access to its Amazon Web Services (AWS) account. While the CEO insists that customer data remained untouched, he could not explain how the AWS account—which was protected by MFA—was compromised in the first place, given that his personal device was the only one capable of generating the required codes.
The crisis comes at a precarious time for the startup. Launched in late 2024, the platform serves over 55,000 customers across 50 cities via India’s Open Network for Digital Commerce (ONDC). Despite securing a ₹100 million (approximately $1.2 million) seed round from investors including Blume Ventures and Unpopular Ventures, the company confirmed that it has not yet fully paid its current staff. With only 15 employees, the startup’s ability to navigate this security and financial turmoil remains in question.