KiranaPro, another Indian grocery delivery startup, raised in late 2024. Recently, it’s made headlines because of a major data breach perpetrated by a still-arguably-ex-step-child. KiranaPro functions as a buyer app on the Indian government’s Open Network for Digital Commerce. Serving more than 55,000 customers across 50 cities, it allows users to easily order groceries from small kirana stores and large supermarkets, using a simple voice-based chatbot interface. The event underscores the vulnerability of our cybersecurity infrastructure in this fast-paced area of electronic communication and commerce.
According to the startup’s co-founder, Deepak Ravindran, the breach was due to internal rather than external hacking efforts. “This was an internal data breach. Specifically, it was the result of actions taken by a trusted internal employee who had legitimate access to our systems,” Ravindran stated. Following their unexpected dismissal, the ex-employee’s access was removed. Allegedly, they removed all of KiranaPro’s data from the back-end servers and erased the app code saved on GitHub.
Details of the Breach
KiranaPro realized the breach last week when they found they were locked out from their back-end servers. Through close and ongoing investigation, we verified that Amazon Web Services (AWS) cloud hosting of customer data was never compromised. No third parties were ever allowed to view. Ravindran emphasized the importance of this fact, stating, “After careful investigation, we conclude that this was not a hack. No external party penetrated our ordering or payment systems, exploited vulnerabilities, or bypassed security protocols.”
Ravindran was quick to assure that the former employee downloaded no customer data. He pointed out that there was no cause to believe otherwise prior to the removal. We have nothing except the emails that we received from GitHub, indicating that [the former employee’s username] as a person is the one who deleted the account. We still haven’t gotten to the bottom of that,” he continued.
The breach has sparked discussions about the company’s internal communications, especially related to employee offboarding. Saurav Kumar, another key figure within KiranaPro, noted that “Employee offboarding was not being handled properly because there was no full-time HR.” This might seem like a small oversight but it likely made it that much easier for the former employee to carry out such a massive breach.
Moving Forward with Investigation
KiranaPro now finds itself in a tough spot. Ravindran urged the need for a full forensic investigation to understand the scope of the breach. “If we go deeper, we have to do a real forensic investigation. We are going to talk about this with our board, the investors, and we are going to get a formal opinion on that with our legal advisers,” he stated.
The startup is still weighing whether or not to file a formal complaint with local law enforcement. Ravindran assured them that they had collected more than enough evidence to justify the suit. At the same time, he stressed that more research is needed before proceeding. We need to do a full forensic examination of the corporation. We need to run the full IP scan. We need a very fine lens to come in and look at where the tracks occurred,” he say.
As daunting as these challenges may be, KiranaPro remains relentless in its pursuit of seamless grocery delivery to continue winning the long game. The phygital-only platform supports inputs in local languages, such as English, Hindi, Malayalam and Tamil, winning the heart of this diverse customer base. With 15 employees located in Bengaluru and Kerala, KiranaPro aims to strengthen its operations and security measures in light of this incident.
Implications for the Industry
At KiranaPro, this event underscores an important one. It is no secret that startups are highly vulnerable as they grow and pivot through the digital commerce ecosystem. As more companies adopt technology-driven solutions that make previously manual, everyday services smarter, richer, and faster, cybersecurity protections should remain top of mind.
Ravindran’s perspective on the breach further underscore the need for more robust human resources practices. Without established offboarding procedures for employees when they leave the organization, whether voluntarily or not, the risks can be monumental to any organization. As KiranaPro wrestles with today’s challenges, it has provided lessons for other startups. Addressing this issue should motivate them, both in India and outside, to focus inwardly on their internal practices and security infrastructure.
