The recent data loss story of Indian grocery delivery startup Kiranapro has more holes than Swiss cheese, as the startup remains unknown whether the incident is an internal violation or an external hack.
Last week, the Bengaluru-based startup discovered that it had no access to its backend servers and that all data, including its app code, was removed from GitHub. The startup on Friday condemned a former employee for violations. However, in an interview, Kiranapro co-founder and CEO Deepak Ravindran admitted that after the company left the company, it had not deactivated its employee accounts and could not rule out the possibility of subsequent malicious misuse.
“If we go deeper, we have to do a real forensic investigation. We're going to talk. [about] This is our board of directors, our investors, and we are looking to get formal opinions with our legal counsel on that as well,” Rabindran told TechCrunch.
Earlier on Friday, Rabindran in a post from X claimed that the incident that affected the data was an internal violation.
“After careful investigation, we conclude that this is not a hack. There are no external parties who have infiltrated the order or payment system, exploited vulnerabilities, or bypassed security protocols,” he writes.
The co-founder also claims that on Thursday he explicitly shared a screenshot of a LinkedIn profile of one of X's former Kiranapro employee, removing the startup's code. (TechCrunch does not share the links to the posts as it has not yet provided concrete evidence that the startup supports its location.)
“[T]He was an internal data breach. Specifically, it was the result of actions taken by trusted internal employees with legal access to our system,” the co-founder wrote in a post Friday.
When TechCrunch asked whether Kiranapro could rule out whether former employee accounts could maliciously access them, Ravindran could not.
“We have to do a full forensic check in our company. We have to do an entire IP scan. We have to see where the truck happened. We have to check our computers, MacBooks and what is used.
So, what was the basis for Rabindran's allegation? It was a GitHub response, and a copy of it was shared with TechCrunch.
The response included a username that Ravindran said was associated with the previous employee.
“All we have is the email we get from Github and we say it. [the former employee’s username] I am the person who has deleted my account as an individual. Ravindran told TechCrunch.
Former employee accounts have never been offboarded
Released in late 2024, Kiranapro operates as a buyer app on the Indian government's open network of digital commerce. The startup allows over 55,000 customers in 50 cities to purchase groceries from local stores and nearby supermarkets using a voice-based interface. The company also supports local language input, such as English, Hindi, Malayalam and Tamil.
Ravindran said he decided to call out former employees based on the company's “belief system” because he claims that the former employees deleted the data after the sudden termination.
However, the startup said it is not aware that former employee devices have sufficient protection, such as multi-factor authentication, to restrict malicious third-party access, such as malware.
The company confirmed that it did not remove employee data and access to GitHub accounts after its departure.
“As there was no full-time HR, off-boarding for employees was not properly handled,” Kiranapro Chief Technology Officer Sauraf Kumar confirmed to TechCrunch.
Company will restore AWS accounts and GitHub data
In addition to the code saved on GitHub, Kiranapro also failed to access your Amazon Web Services (AWS) account. This includes customer data and transaction details.
Ravindran told TechCrunch that GitHub data was restored after taking backups from one of its employees. The startup has also regained access to its AWS accounts along with customer data.
Both the co-founder and CTO said that the AWS account was protected by multifactor authentication, but they couldn't say how the account was accessed as no one else had physical access to Ravindran's phone, which generated the multifactor code.
Nevertheless, Ravindran claimed that the customer data stored in the AWS cloud was intact, not accessed by third parties, and not downloaded by the former employee in question.
“If that's the case, I'll get that notification in email or something like that. [sic]He said.
That said, Ravindran said the startup had enough evidence to file a formal complaint with the police, but the investigation is ongoing.
The startup is also not paying its current employees entirely, the company's co-founder confirmed shortly after the company raised a seed round of £100 million (approximately $1.2 million).
The startup counts Blume Ventures, unpopular ventures and turbostarts among the facility's venture backers, while Olympic medalists PV Sindhu and Managing Director Vikas Taneja of Boston Consulting Group as angel investors. We have 15 employees in Bengaluru and Kerala.