One of the UK’s largest vet groups has told regulators about a possible breach of personal information after it was hit by a cyber-attack.
CVS Group said hackers had gained unauthorised external access to a limited number of its IT systems. The company continued to have problems with slow-running systems on Monday after disruption across the UK business.
The chain has more than 500 locations around the world, most of which are in Britain, and is one of the big six groups of UK veterinary practices. Those groups, with backing from large investors, have snapped up vet practices across the country.
The largest rivals to CVS include the private equity-owned IVC Evidensia, which owns more than 1,000 “first-opinion practices” in the UK; VetPartners, another private equity-owned chain with more than 500 sites; and Pets at Home, the superstore chain that has vet practices in many stores.
The UK’s veterinary industry is under scrutiny by the competition regulator. Last month the Competition and Markets Authority (CMA) said it had opened a formal investigation into potential abuses in the sector after finding that some people may be overpaying to have their pets treated. The CMA received a deluge of responses to its initial inquiry: 56,000 people got in touch.
CVS said in a message to the stock market on Monday that it had endured “considerable operational disruption over the past week” after discovering the intruders in its systems. The company was forced to shut down computer systems at its practices and in some broader business functions for several days last week, it added.
“IT services to our practices and business functions have now been securely restored across the majority of the estate; however, due to the increased levels of security and monitoring, some systems are not working as efficiently as previously and this is likely to result in an ongoing operational impact,” CVS said.
The company is listed on London’s Alternative Investment Market and was valued at £680m before the hack was disclosed. Its biggest shareholder is the Canadian investor Global Alpha Capital Management.
The group has informed the UK’s Information Commissioner’s Office of the attack, “due to the risk of malicious access to personal information”. It did not say whether the private information it thought could be at risk was customer data or related to other people such as staff or suppliers.
Specialist cybersecurity consultants have been hired to investigate the nature and extent of the breach.