The recent data loss incident at Indian grocery delivery startup KiranaPro has raised more questions than answers, with the company still unclear about whether it was an internal breach or an external hack.

Last week, the Bengaluru-based startup found itself unable to access its back-end servers, with all its data, including its app code, deleted from GitHub. Initially, the startup blamed a former employee for the breach, but in an interview, KiranaPro co-founder and CEO Deepak Ravindran admitted that the company had not deactivated the employee’s account after their departure, leaving open the possibility of subsequent malicious misuse.

“To get to the bottom of this, we need to conduct a thorough forensic investigation,” Ravindran told TechCrunch. “We will be discussing this with our board, investors, and seeking a formal opinion from our legal advisors.”

Earlier, on Friday, Ravindran had claimed in a post on X that the incident was an internal breach, stating that no external party had penetrated their ordering or payment systems. However, he also shared a screenshot of a LinkedIn profile of a former employee, alleging that they had deleted the startup’s code.

The co-founder wrote, “[This was] an internal data breach, specifically the result of actions taken by a trusted internal employee who had legitimate access to our systems.” However, when asked if KiranaPro could rule out the possibility of a third party gaining malicious access to the former employee’s account, Ravindran couldn’t provide a definitive answer.

“We would need to perform a complete forensic check, including an IP scan, and examine all devices used,” he explained. “But we haven’t done that yet, as it would require significant resources.”

The basis for Ravindran’s allegation against the former employee was a response from GitHub, which included a username supposedly associated with the former employee. However, Ravindran acknowledged that the company hadn’t conducted a thorough investigation, saying, “All we have is the email from GitHub stating that [the former employee’s username] deleted the account.”

Former employee’s account was never offboarded

Launched in late 2024, KiranaPro operates as a buyer app on the Indian government’s Open Network for Digital Commerce, allowing over 55,000 customers in 50 cities to purchase groceries from local shops and supermarkets using its voice-based interface. The company also supports local language inputs, including English, Hindi, Malayalam, and Tamil.

Ravindran stated that the company had decided to call out the former employee based on their “belief system,” claiming that the former employee had deleted the data after being suddenly terminated. However, the startup admitted that it wasn’t aware if there were adequate protections on the former employee’s devices, such as multi-factor authentication, to prevent malicious third-party access.

The company confirmed that it had not removed the employee’s access to its data and GitHub account after their departure, with KiranaPro’s chief technology officer, Saurav Kumar, attributing this to the lack of a full-time HR department. “Employee offboarding was not being handled properly,” Kumar confirmed.

Company restores AWS account and GitHub data

In addition to its code saved in GitHub, KiranaPro also lost access to its Amazon Web Services (AWS) account, which included customer data and transaction details. However, Ravindran told TechCrunch that the GitHub data was restored after obtaining a backup from one of its employees, and the startup also regained access to its AWS account and customer data.

Both Ravindran and Kumar stated that the AWS account was protected by multi-factor authentication, but neither could explain how the account was accessed, as nobody else had physical access to Ravindran’s phone, which generated the multi-factor code.

Ravindran claimed that the customer data stored in the AWS cloud remained intact and was not accessed by any third parties or downloaded by the former employee in question. “If that were the case, I would have received a notification via email or otherwise,” he said.

The startup has enough evidence to file a formal complaint with the police, but its investigation is ongoing. Additionally, Ravindran confirmed that the company has not fully paid its current employees, despite recently raising a seed round of ₹100 million Indian rupees (approximately $1.2 million), which has yet to be fully wired.

KiranaPro’s investors include Blume Ventures, Unpopular Ventures, and Turbostart, as well as angel investors Olympic medalist PV Sindhu and Boston Consulting Group managing director Vikas Taneja. The startup has 15 employees located in Bengaluru and Kerala.