A devastating cyberattack has crippled grocery delivery startup KiranaPro, wiping out servers, source code, and customer data. As suspicions circle a former employee, questions mount about internal controls, cybersecurity, and the vulnerabilities haunting India’s fast-growing tech ecosystem.
The Breach That Brought Down a Startup
KiranaPro, an ambitious grocery delivery startup working within India’s ONDC framework, has found itself at the center of one of the most destructive insider cyberattacks in India’s startup landscape till date. The Bengaluru-based company confirmed that on May 26, all of its operational infrastructure, hosted on Amazon Web Services (AWS), was deleted in a calculated assault that also targeted its GitHub repositories, effectively paralyzing the business.
What started as a routine attempt to access administrative systems escalated into a full-scale disaster when engineers realized they were locked out. Multi-factor authentication (MFA) was bypassed. Root accounts were breached. Within hours, servers were wiped, application code destroyed, and customer data erased, effectively nullifying years of effort and millions in venture funding.
The CEO, Deepak Ravindran, in his statement, stated that this wasn’t just a data breach, it was personal, deliberate, and strategic. The attacker knew exactly where to strike.
Suspicions Point Inward: Was This an Insider’s Job?
As technical teams worked through the chaos, audit logs and forensic traces unearthed a disturbing pattern. The attack appeared to have originated from an account tied to a former employee. According to company insiders, this individual retained credentials that had not been revoked, even after their departure, raising serious questions about KiranaPro’s offboarding practices and internal access governance.
While the identity of the ex-employee has not been officially disclosed, sources suggest the person held elevated privileges that allowed them to bypass security barriers, including root access to critical systems. Legal teams have begun preparing to file charges, while the startup explores recovery options and potential replatforming strategies. The larger issue, however, is not just about one rogue actor, it’s about system-level blind spots and accountability within India’s booming startup ecosystem.
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
What KiranaPro Lost, and What It Means for ONDC?
Launched as a digital-first solution to streamline grocery delivery across 50 Indian cities, KiranaPro had steadily built a base of over 55,000 customers and was processing around 2,000 daily orders. As a participant on the government-backed Open Network for Digital Commerce (ONDC), the startup represented a new wave of tech-enabled retail democratization.
The deleted data includes everything from user profiles and delivery addresses to payment records and backend algorithms, many of which are reportedly non-recoverable. The startup’s app is currently non-functional and has been pulled from app stores pending a security review.
While KiranaPro insists there is no evidence that customer data was exfiltrated prior to deletion, cybersecurity experts remain skeptical and have called for an independent audit of the breach.
A Cautionary Tale for India’s Startup Boom
The KiranaPro attack has reignited concerns over how well Indian startups are equipped to handle cybersecurity at a large scale. With most early-stage companies focused on growth, security often takes a back seat. In KiranaPro’s case, lack of timely de-provisioning of access, failure to secure admin accounts, and inadequate monitoring contributed to the perfect storm.
For ONDC, the incident underscores the risks of entrusting core retail infrastructure to under-protected digital players. Analysts suggest that regulatory standards for cybersecurity in ONDC-affiliated ventures may need urgent strengthening.
Ravindran remains cautiously optimistic and has stated this was their worst day, but it won’t be their last. He has stated that they are rebuilding, rethinking, and reaffirming their commitment to secure and transparent commerce.
As recovery efforts begin, the KiranaPro episode serves as a sobering reminder that in the digital age, a single point of failure can bring down an entire enterprise.
About the author – Prakriti Jha is a student at National Forensic Sciences University, Gandhinagar, currently pursuing B.Sc. LL.B (Hons.) with a keen interest in the intersection of law and data science. She is passionate about exploring how legal frameworks adapt to the evolving challenges of technology and justice.