Click USA Inc is claiming that PriceSmart Inc breached certain provisions of a stock purchase agreement surrounding the sale of Aeropost Inc, which suffered a massive cybersecurity breach around April 23.

In its 10-K filing which was released after hours on Monday, PriceSmart indicated that it received notice on August 5 from Click USA and Aeropost who are seeking to hold the international membership shopping warehouse club company liable for losses and future claims which could exceed US$3 million. The companies allege that PriceSmart made inaccurate or incomplete representations and warranties relating to Aeropost, Inc’s cybersecurity and the condition of its IT systems in connection with the sale of the casillero and marketplace business.

As a result of the cyberattack, Click wants to hold the firm liable for some amount of damages due to losses related to the cyberattack and possible third-party claims relating to the cyberattack.

“Per the express terms of the agreement, the maximum amount of all losses for which PriceSmart may be liable for claims arising out of allegations concerning the above-referenced representations and warranties is [US] $4,000,000. PriceSmart intends to vigorously defend itself and, as such, we have concluded that a loss related to this matter is not probable and any potential loss is not reasonably estimable; therefore, we have not accrued a liability for this matter,” the annual report stated.

The report also stated that in relation to the October 2021 sale, “In addition, we and the buyer of the legacy casillero and marketplace businesses have agreed to indemnify each other for any breach of representations and warranties we made to one another in the purchase agreement.”

PriceSmart had originally acquired Aeropost in March 2018 for US$28.95 million as part of its focus on enhancing its online shopping experience for its members from the technology associated with Aeropost. This lead to the development of software and systems for e-commerce and logistics for PriceSmart along with an improvement of its distribution and logistics systems to advance it omni-channel shopping experience.

PriceSmart sold the business in October 2021 to Bahamian-based Click to Collect Company Limited which resulted in it collecting US$4.96 million as proceeds from the transaction and booked a pre-tax gain of US$2.7 million. Pricesmart retained key Aeropost personnel and technology with the former subsidiary providing US$2 million of logistical services as needed to Pricesmart for 36 months.

“This technology and talent have helped us combine our brick-and-mortar operations with online capabilities, supported by a more sophisticated distribution system. These online capabilities and the enhanced distribution system provide us with the potential to expand our geographic coverage, reach more Members in more ways, increase efficiencies, reduce costs and provide Members with greater value,” Pricesmart’s annual report added on the value extracted by retaining key personnel from Aeropost.

In an earnings call on Tuesday, PriceSmart Chief Executive Officer Sherry Bahrambeygui noted that up to August 31, 51.4 per cent of its membership base have an online programme with pricesmart.com which is up from zero two years ago. Thirteen per cent of its overall membership base made a purchase on the website with 8.5 per cent of new memberships purchased online in its 2022 fourth quarter. Online renewals represent 4.3 per cent of total renewals which is further compounded by the fact that 8.3 per cent of its total 1.76 million membership base has auto-renewal turned on. PriceSmart has 50 clubs spread across 13 countries and territories across the Latin American and Caribbean region.

“Lastly, in late August, we increased pickup, fostering key demand times in our Jamaica club by 6.3 per cent, or 446 slots. This contributed to the highest online single month of sales ever in September for Jamaica with orders increasing by 19.6 per cent for the same period,” said Bahrambeygui on the company’s Jamaican operations which saw its second store opened in Portmore in April.

Click Partners LP, which is a British Virgin Islands limited partnership, is the firm which is behind the acquisition of Aeropost Inc. Click Partners LP announced that it had also acquired smart-locker and marketplace technology provider Click to Collect West Indies Limited at the same time it acquired Aeropost.

Click LP’s mission is stated as,” to revolutionise the online shopping experience for retailers and consumers in Central America and Caribbean, building one of the largest e-commerce marketplace and smart-locker networks in the region and optimising last-mile delivery and service.”

Click LP was co-founded by Bahamian entrepreneur Sebastian Bastian and Canadian Adam Arviv with Simon Legge taking on the role of chief financial officer. The trio’s focus was on the launch of a smart locker platform to service 60 million customers across the region.

According to the Bahamian newspaper The Tribune, Bastian raised nearly US$20 million from 20 unidentified investors in the US capital markets in September 2021 which was used to finance the purchase of Aeropost.

The Nassau Guardian stated that Click Partners promised to bring an Amazon-like marketplace to The Bahamas and region in Q1 2022. A new e-commerce platform was to be launched this year to improve the business of retailers in The Bahamas while using Aeropost in other business partnerships to have smart lockers available at different gas stations in The Bahamas.

The cybersecurity breach which occurred saw numerous Aeropost users whose cards were stored on the website being used for a number of transactions not associated with them. One Bahamian Twitter user reported US$2,464 ($381,920) in transactions while a Jamaican on Instagram said her card was charged US$800. In order to protect its customers further, it reset the credentials of all users in the system and deleted all credit cards stored in its system. The company also encouraged users to check their credit card statement and request a replacement credit card.

“This breach resulted in customer data, including credit card details for a small percentage of Mailpac’s customers being compromised. Even though Aeropost maintains all customer information in an encrypted form and under a PCI certified zone, their security monitoring protocol identified unusual activity on a server used for file management,” said Mailpac Group in a Jamaica Stock Exchange disclosure relating to their technology partner.

However, a full stack developer on Twitter said, “[It] appears they also stored the CVV and the full card number along with other customer information allowing transactions to be validated. Likely encryption cipher used [was] also weak. Disappointing security practices and major loss for customers.”

Aeropost is an integrated e-commerce provider that supplies end-to-end services across 38 countries in Latin America and Caribbean. It’s been in existence since 1988 and operates a 177,000-square-foot international logistics hub at its headquarters in Miami, Florida.