Full Report
Exclusive: The company's co-founder and CTO blame a former employee for a breach, but cannot rule out that it wasn't.
Analysis Summary
# Incident Report: KiranaPro Server Deletion and Data Access Crisis
## Executive Summary
Indian grocery delivery startup KiranaPro experienced a major security incident resulting in the deletion of its backend servers and application code from GitHub. The company initially blamed a former employee for an internal data breach, citing evidence from GitHub communications. However, the investigation remains inconclusive as the company failed to properly offboard the terminated employee, leaving unauthorized access possible and preventing them from ruling out external compromise of that former account.
## Incident Details
- Discovery Date: Last week (Prior to journalist interview)
- Incident Date: Undisclosed timeframe leading up to discovery
- Affected Organization: KiranaPro
- Sector: Grocery Delivery / E-commerce Technology
- Geography: Bengaluru, India
## Timeline of Events
### Initial Access
- Date/Time: Unknown (During or after former employee termination)
- Vector: Failure of proper employee offboarding procedures leading to sustained access for a former employee or subsequent malicious actor exploiting that account.
- Details: The company confirmed they did not deactivate the former employee’s accounts upon their departure.
### Lateral Movement
- **Internal/Unknown:** Data deletion occurred across critical company systems, including backend servers hosted on AWS and code repositories on GitHub.
### Data Exfiltration/Impact
- **Impact:** Complete deletion of backend server data (including customer data and transaction details stored on AWS) and application code from GitHub.
### Detection & Response
- **Detection:** Startup discovered it could not access its back-end servers and GitHub data.
- **Response actions taken:** Claims were made on X blaming a specific former employee based on GitHub notifications. They are planning a forensic investigation involving legal counsel and the board. GitHub data was restored from employee backups; AWS access and data were regained.
## Attack Methodology
- Initial Access: **Misconfiguration/Insider Threat** (Failure to revoke access for a terminated employee, granting legitimate access that was potentially misused).
- Persistence: Due to lack of offboarding, access was maintained post-termination.
- Privilege Escalation: Not explicitly detailed, but assumed high-level write/delete permissions on critical infrastructure (AWS, GitHub).
- Defense Evasion: If external, MFA on AWS was bypassed or compromised, though the CEO claimed MFA was active on AWS. If internal, standard controls were bypassed by authorized credentials.
- Credential Access: Credential of the former employee was used.
- Discovery: Unknown, but deletion events were triggered across systems.
- Lateral Movement: Not applicable beyond the initial scope of the compromised/misused account's permissions.
- Collection: Customer data and transaction details were potentially exposed or accessed in the AWS environment, though the CEO denied large-scale data exfiltration beforehand.
- Exfiltration: Not explicitly confirmed, but primary impact was **Destruction/Data Loss**.
- Impact: **Service Disruption & Data Destruction** (Deletion of all application code and back-end server data).
## Impact Assessment
- Financial: Unknown, but required significant resource allocation for recovery. The company has also reportedly failed to pay current employees fully following a recent seed funding round.
- Data Breach: Customer data and transaction details were stored on AWS, though the CEO claimed this data was not exfiltrated or downloaded by the former employee. The scope of PII exposure is unclear.
- Operational: Severe operational disruption due to the deletion of back-end servers and application code.
- Reputational: Significant negative press coverage due to the contradictory statements regarding an "internal breach" versus an "external hack" and the lack of basic security hygiene (offboarding).
## Indicators of Compromise
- **Behavioral indicators:** Unauthorized deletion commands executed on GitHub repositories and primary AWS infrastructure coinciding with the departure of an employee.
- **Note:** Specific network or file indicators were not publicly detailed, as the company halted deep forensic investigation.
## Response Actions
- **Containment measures:** Regaining access to AWS and restoring GitHub code from internal backups.
- **Eradication steps:** Unclear, pending planned forensic investigation. At minimum, the terminated employee's access should have been revoked immediately upon discovery/termination.
- **Recovery actions:** Restoring application code from GitHub backups and regaining control/access to the main AWS environment.
## Lessons Learned
- **Critical Failure in Offboarding:** The most severe lesson is the failure to conduct timely and complete employee offboarding, particularly account deactivations upon termination, which allowed access to be maintained or repurposed.
- **Adversarial Uncertainty:** The incident highlights the danger of concluding a breach is internal without a full forensic investigation, especially when basic security hygiene (offboarding) has failed, leaving the door open for account takeovers.
- **MFA Bypass/Compromise:** The CEO could not explain how the MFA-protected AWS account was accessed, indicating potential MFA fatigue, SMS interception, or physical access compromising the token source.
## Recommendations
- **Implement Strict Access Revocation Policies:** Establish automated, mandatory access termination protocols tied to HR offboarding procedures, ensuring immediate disabling of all network, cloud, and source code credentials upon employee departure.
- **Mandatory MFA Implementation:** Ensure MFA is enforced across all critical infrastructure (AWS Console, GitHub, etc.) and review procedures for authenticating MFA tokens (e.g., utilize FIDO2/hardware tokens over SMS/TOTP where possible).
- **Conduct Full Forensic Audit:** Despite initial hesitation due to cost, a complete forensic sweep of all endpoints and logs is necessary to definitively rule out external compromise or malware insertion via the former employee's potentially unsecured device.