Cyberattack on UK’s CVS Group disrupts veterinary operations

UK veterinary services provider CVS Group has announced that it suffered a cyberattack that disrupted IT services at its practices across the country.

CVS Group operates 500 veterinary practices throughout the UK, Australia, the Netherlands, and the Republic of Ireland, including nine specialist referral hospitals, 39 dedicated out-of-hours sites, three laboratories, and seven pet crematoria.

The company employs 9,100 people, including 2,400 veterinary surgeons and 3,400 specialized nurses.

In an announcement published on the London Stock Exchange site, CVS Group warns that threat actors gained unauthorized access to some of its IT systems. The firm responded to the situation by shutting down its IT systems, which impacted its operations.

"CVS Group announces it has recently detected and intercepted a cyber incident which had involved unauthorised external access to a limited number of its IT systems," reads the announcement.

"Upon discovery of the incident, CVS took immediate steps to isolate the issue and, to prevent wider unauthorised access, took its IT systems temporarily offline, as part of the Group's response plan."

"Our responses to contain the threat of malicious activity have caused considerable operational disruption over the past week, but to date have been effective in preventing further external access to CVS systems."

CVS says it has engaged third-party specialists to help it investigate the incident and restore IT services safely across its clinics. The process of restoration is underway, and good progress has been made.

The company noted that the incident impacts only UK practices, as operations outside the UK are not hosted on CVS infrastructure.

The notice also disclosed that the cyber-incident has accelerated the strategic plan to migrate all IT infrastructure to the cloud, which, according to CVS, will provide enhanced security and operational efficiency.

This planned migration is expected to extend the period of operational disruption for UK-based practices by several weeks, estimates CVS.

The announcement does not mention anything about the possibility of a data breach impacting CVS personnel or customers. BleepingComputer has contacted CVS with questions about this but a comment wasn't immediately available.

At the time of writing this, no ransomware groups have assumed responsibility for the attack at CVS Group.