Puppies, kittens, data at risk after 'cyber incident' at veterinary giant

First, they came for hospitals, then it was charities and cancer centers. Now, cyber scumbags are coming for the puppies and kittens.

CVS Group, the company behind one of the UK's largest chains of vet practices, announced a "cyber incident" on Monday, hinting at the possibility of data theft and clinical care at some of its practices being affected.

The incident has forced CVS to engage its incident response plan, which involved pulling systems offline to isolate the incident. The consequences of the temporary IT shutdown "caused considerable operational disruption over the past week," the company stated, and disruption is expected to continue for further weeks still.

It also engaged outside security experts to help investigate the extent of the damage and support CVS's response. The Information Commissioner's Office (ICO) – the UK's data protection regulator – was also notified "due to the risk of malicious access to personal information."

It's not clear what type of data is potentially affected by the incident, but attackers looking to monetize any thefts would likely target personal information of staff and customers, plus financial information and other confidential documents.

CVS operates around 500 practices around the world, most of which are located in the UK, and employs 9,000 people including 3,300 veterinary nurses and 2,400 surgeons.

UK operations have been disrupted, CVS said without offering much in the way of details, but clinical care has remained at its "usual high levels" at "the majority" of its practices. Outside of the UK, operations are unaffected.

"IT services to our practices and business functions have now been securely restored across the majority of the estate; however, due to the increased levels of security and monitoring, some systems are not working as efficiently as previously and this is likely to result in an ongoing operational impact," CVS's notice read.

"Operations outside the UK remain operationally unaffected as do non-CVS hosted systems and the Group's e-commerce systems."

CVS said the incident has forced the company to accelerate its cloud migration strategy, with its practice management system and related infrastructure being moved, owing to the security enhancements and operational efficiencies a cloud approach would offer.

Its share price took a steep but temporary fall when the London market opened on Monday, before regaining much of the loss to a more gradual decline over the previous few days.

The company's market cap stands at £673 million ($849 million), but its share price has fallen heavily since the UK's Competition and Markets Authority (CMA) announced it would launch an investigation into the largest vet chains over unfair prices in March.

Additional updates as regards the integrity of its data and overall IT recovery are expected to be released in due course. ®