Paws Off! Pet Data at Risk in CVS Group Cyber Attack

Thousands of pets' data are reportedly at risk following a major cyber attack impacting the British veterinary firm CVS Group. 

It was confirmed today that CVS Group had "detected and intercepted a cyber incident which had involved unauthorised external access to a limited number of its IT systems" in a statement signed by CEOs Richard Fairman and Robin Alfonso, as well as Ben Jacklin, Deputy CEO.

“Upon discovery of the incident, CVS took immediate steps to isolate the issue and, to prevent wider unauthorised access, took its IT systems temporarily offline, as part of the Group's response plan. Our responses to contain the threat of malicious activity have caused considerable operational disruption over the past week, but to date have been effective in preventing further external access to CVS systems.” the statement reads.

CVS group is responsible for a massive amount of data. Although it has not yet been confirmed what has been compromised this may include pet medical records, finance information, pet insurance claims through MiPet Cover, and even pet owner demographics from their loyalty programs.

In response to the attack CVS stated that it had taken immediate action by taking all it’s IT systems offline. They have also stated that they are “ accelerating its plans to migrate its practice management system and related IT infrastructure to the Cloud to both provide enhanced security across our estate and to deliver operational efficiencies.”

IT services have now been "securely restored" across most of the group. 

Third party specialist consultants are now reportedly investigating “understand the ‘nature and extent of the incident and to support the response.” The authorities, including the Information Commissioner’s Office, have also been informed “due to the risk of malicious access to personal information”.

The business, which employs over 9000 staff, is likely to face significant disruption to operations.

“Through the efforts of our colleagues, we have continued to provide our usual high levels of clinical care to clients and patients at the majority of our practices,” CV confirmed but “due to the increased levels of security and monitoring, some systems are not working as efficiently as previously and this is likely to result in an ongoing operational impact.” they continue.

Gareth Pritchard, Chief Technology Officer at UK cybersecurity company, Sapphire gave EM360tech his insights:

“Cyberattacks like the one on CVS shows the need for organisations to always be ready for a cyberattack and to deal with any aftermath that might occur. Cyberattacks are not a ‘one and done’ occurrence and you need to ensure that recovery activities are also free from threat actors and also to be sure to remove any potential alternative pathways for the attacker to return and risk a secondary compromise. Too often companies overly rely on back ups to clear their estates of attackers, yet we know that threat actors are often in their target's systems for over 250 days before the visible attack or detection; so relying on a 30 day back up can leave you open to a follow up attack," he said.

"Cyberattacks often impact the realms of 'back-office IT systems' as well as having 'front-line' impacts on customers and operations, leading to financial and reputational damages. To effectively recover, it is important that alongside the technical tasks of eradicating the malicious attacker, to understand what systems, data and information could have been compromised. Additionally, a full system-wide review should be conducted to see where else the same attacker might be waiting or preserving access to your systems. This would enable you to be in a position to respond by making it harder the next time someone attacks and that your clients are fully informed if data has been lost. Organisations must remain vigilant to how attackers could leverage this type of information leak for future attacks and continue to protect sensitive information,"Pritchard continued. 

No hacking group has claimed responsibility for this attack yet. 

What is CVS Group?

CVS Group is a leading provider of veterinary services in the United Kingdom. They also operate in the Netherlands and Australia. They operate over 500 veterinary practices.

CVS Group goes beyond veterinary practices. They offer a wide range of services for pets and their owners, acting as a one-stop shop for animal care. 

They provide several additional services to complement their veterinary practices. This includes:

• Diagnostic Laboratories: In-house labs to process tests and provide vital information for treatment decisions.
• Pet Crematoria: Offering cremation services for deceased pets.
• Buying Groups: Helping veterinary professionals source supplies at competitive prices.
• Online Retail: Animed Direct allows pet owners to purchase pet supplies online.
• Pet Insurance: MiPet Cover provides pet insurance for unexpected vet bills..
• Preventative Care: The Healthy Pet Club offers pet owners a program for regular checkups and preventive treatments.
• Veterinary Medicines: They have their own brand of veterinary medicines (MiPet).

All this means one thing: they are responsible for massive amounts of data.

Why have CVS Group been targeted? 

CVS Group possesses a vast amount of sensitive data, making them a lucrative target for cybercriminals. This includes:

• Pet medical records: Valuable for understanding pet health trends or potentially for developing and selling black-market pet medications.
• Financial information: Credit card details or bank account information could be used for fraudulent purchases.
• Pet insurance claims: Cybercriminals might attempt to exploit vulnerabilities in the insurance system.
• Pet owner demographics: Data on pet ownership could be valuable for targeted marketing campaigns by other companies.

Cybercriminals could exploit the data stolen from CVS Group in several ways, depending on the specific type of data they were able to access. 

Pet Medical Records can be used to:

• Develop Black Market Medications: Detailed medical records could reveal patterns in pet health issues and medication use. Criminals might exploit this information to create and sell counterfeit medications online.
• Target Specific Breeds: Information on specific breeds and their common illnesses could be used to develop targeted phishing scams aimed at pet owners. For example, emails offering "miracle cures" for a breed's known condition.
• Sell Data to Third Parties: The data could be valuable to research labs or pharmaceutical companies interested in specific pet health trends.

Financial Information can be used for:

• Credit Card Fraud: Stolen credit card details could be used for unauthorized online purchases or sold on the dark web.
• Fake Invoices and Charges: Financial information might be used to create fake invoices or charges related to pet care services owners never received.

Pet Insurance Claims can be used to:

• Fraudulent Claims: Cybercriminals could exploit vulnerabilities in the insurance system to submit fake or inflated pet insurance claims for non-existent treatments.
• Identity Theft: Stolen pet owner information, combined with data from other sources, could be used for identity theft aimed at the pet owner.

Pet Owner Demographics can used in:

• Targeted Marketing Campaigns: Data on pet ownership and demographics could be valuable for targeted advertising campaigns by companies selling pet products or services.
• Social Engineering Scams: Information about pets' names and breeds could be used to personalize social engineering scams that trick pet owners into revealing personal information or clicking on malicious links.

Read: What is Social Engineering?

The true value of the stolen data might lie in combining different datasets. For example, pet medical records alongside financial information could be used for even more sophisticated scams.

Is my pet’s data at risk?

You can check if your local veterinary practice is at risk from the CVS Group cyber attack by searching your postcode on the Vet Collection practice finder.

While the situation is uncertain, it's always a good practice to be aware of data security risks. 

Be on the lookout for communications from CVS Group, though these may be legitimate, be hyper-vigilant about phishing emails. Scammers might use the breach to send emails pretending to be from your vet practice. These emails could trick you into revealing personal information or clicking on malicious links. Don't click on links or attachments in suspicious emails, and be wary of emails urging immediate action such as updating payment information. 

Following the attack ensure you monitor your bank statements and pet insurance claims for any suspicious activity.