The recent story of the Indian shopping episode Kiranapro’s recent story about data loss has more gaps than Swiss cheese, because the startup remains unclear whether the incident was an internal infringement or an external hack.
Last week, the startup-up-up-up foundation discovered that it did not have access to its back-end servers and that all data, including the app code, had been removed from Github. The startup on Friday blamed a former employee. In an interview, however, Kiranapro Co-founder and CEO Deepak Ravindran admitted that the company had not deactivated the employee’s account after they left the company and cannot exclude the possibility of subsequent malignant abuse of their account.
“If we go deeper, we have to do a real forensic investigation. We’re going to talk [about] This with our board, the investors, and we will also get a formal opinion about it with our legal advisers, ”Ravindran told Techcrunch.
Earlier on Friday, Ravindran claimed in a Post on X That the incident that influenced his data was an internal infringement.
“After careful research, we conclude that this was not a hack. No external party penetrated our order or payment systems, approached vulnerabilities or bypassed security protocols,” he wrote.
The co-founder also explicitly shared a screenshot of a LinkedIn profile of one of Kiranapro’s former employees on X on Thursday, claiming that they had removed the code from the startup. (Techcrunch does not share the link of the post, because the startup does not yet have to offer concrete evidence that supports its position.)
‘[T]He was an internal data breach. In particular, it was the result of actions of a trusted internal employee who had legitimate access to our systems, “wrote the co-founder in his position on Friday.” This person deliberately deleted critical server logs while they were tested and/or edited, an action that was placed directly against our policy, our principles, our principles and confidence in our team. “
When Techcrunch asked if Kiranapro could exclude whether a third party had malicious access to the account of the former employee, Ravindran could not.
“We have to do a complete forensic check on the company. We have to do the entire IP scan. We have to see where the tracks have happened. We have to check the computers, MacBooks and what is used. Everything has to be done. Then we have to spend money … So we have decided not to do it,” he said Techcrunch.
What was the basis of Ravindran’s statement? It was a Github response, a copy that he shared with Techcrunch.
The answer included a username, of which Ravindran said it was associated with the former employee.
“All we have are the e -mails we received from Github, which says that [the former employee’s username] As an individual, the one who has deleted the account is. We did not do the investigation any further, “Ravindran told Techcrunch.
The former employee’s account was never brought from the beginning
Kiranapro was launched at the end of 2024 and works as a buyer app on the open network of the Indian government for digital trade. With the startup, more than 55,000 customers in 50 cities can buy groceries at their local shops and nearby supermarkets using his speech -based interface. The company also supports input from local language, including English, Hindi, Malayalam and Tamil.
Ravindran stated that they decided to call the former employee on the basis of the ‘religious system’ of the company, because they claim that the former employee has deleted the data after their sudden termination.
The startup said, however, that it does not know whether there was sufficient protection on the devices of the former employee, such as multi-factor authentication, to limit malignant access to third parties, such as malware.
The company confirmed that it did not delete the employee’s access to his data and Github account after his departure.
“Employee offboarding was not treated correctly because there was no full -time HR,” confirmed Kiranapro’s Chief Technology Officer, Saurav Kumar, to Techcrunch.
Company Restores AWS -Account and Github -Data
In addition to his code stored in Github, Kiranapro also lost access to his Amazon Web Services (AWS) account, which contained its customer data and their transaction data.
Ravindran told Techcrunch that the Github data was restored after they had obtained his backup of one of their employees. The startup also had access to its AWS account, together with his customer data.
Both the co-founder and the CTO said that the AWS account was protected by multi-factor authentication, but neither could say how the account was accessible, because no one else had physical access to Ravindran’s phone, which generates the multi-factor code.
Nevertheless, Ravindran claimed that the customer data stored in the AWS cloud remained intact and was not accessible by third parties, nor was it downloaded by the former employee in question.
“Because if that is the case, I will get the message on e -mail or something [sic]”He said.
That said, Ravindran stated that the startup has sufficient evidence to submit a formal complaint to the police, but said that the investigation is underway.
The startup has also not paid its current employees, the co-founder of the company confirmed, shortly after the company had collected a sperm of £ 100 million Indian rupees (about $ 1.2 million), of which Ravindran said it still needs to be completely wired.
The startup has Blume Ventures, Impricular Ventures and Turbostart under its institutional companies, as well as Olympic medal winner PV Sindhu and Boston Consulting Group Managing Director Vikas Taneja among his Engel Investors. It has 15 employees in Bengaluru and Kerala.
