How Poor Vendor & Contract Management Led to 5 Major Business Disasters

High-profile security breaches have become a recurring threat, causing billions in financial losses, operational breakdowns, and reputational damage.

From software failures to data breaches and regulatory non-compliance, these incidents reveal critical vulnerabilities across industries like finance, healthcare, and pharmaceuticals.

According to the 2024 Verizon Data Breach Investigations Report, the total breaches by sector were:

• Healthcare 36%

• Public Sector 19%
• Financial Services 16%

In this overview, we examine five significant breaches in recent years, outlining their impact and key lessons for procurement, legal, and risk management professionals.

1. CrowdStrike’s Global Outage: A Costly Software Failure

In July 2024, CrowdStrike deployed a faulty update for its Falcon sensor software on Windows devices. A minor error triggered a catastrophic global outage, causing over 8.5 million systems to fail. This software flaw led to severe business disruptions, with estimated financial losses exceeding $5 billion worldwide.

Key Business Impacts:

• Delta Airlines was one of the hardest-hit organisations, suffering disruption to 7,000 flights, affecting 1.3 million passengers, and losing over $500 million.
• Insurance providers faced $1.5 billion in payouts due to business interruption and system failures.

Accountability and Legal Consequences:

• Delta Airlines sued CrowdStrike in October 2024, challenging the company’s liability limitations on software failures.
• EU regulators examined the incident under GDPR, questioning potential data security violations.
• The UK’s Financial Conduct Authority (FCA) issued operational resilience guidance, highlighting third-party risks in regulated sectors.

2. ICBC’s Dual Cybersecurity Breaches: A Financial Market Disruptor

In November 2023, the Industrial and Commercial Bank of China (ICBC) suffered a ransomware attack by LockBit, halting trade clearances in the $26 trillion U.S. Treasury market.

Employees had to resort to manual processing, using USB drives and personal Gmail accounts to bypass system failures.

Less than a year later, ICBC’s London branch was also breached, further weakening confidence in its cybersecurity infrastructure.

Key Business Impacts:

• ICBC took on a $9 billion loan from BNY Mellon to stabilise its U.S. division post-attack.
• The breach disrupted financial market operations, delaying major transactions.

Accountability and Legal Consequences:

• The U.S. Securities and Exchange Commission (SEC) launched an investigation into ICBC’s communication and record-keeping failures.
• The incident reinforced regulatory expectations for financial institutions to improve operational resilience.

3. Bank of America’s Third-Party Breach: Supply Chain Security Gaps

In 2023, a security breach at Infosys McCamish Systems (IMS), a third-party service provider, exposed sensitive customer data for 57,000 Bank of America clients. The attack compromised names, addresses, business email addresses, and Social Security numbers, leading to heightened identity theft risks.

Key Business Impacts:

• The breach damaged customer trust and required extensive remediation efforts.
• Complexity in forensic investigation prevented the bank from confirming the extent of data exposure.

Accountability and Legal Consequences:

• The breach was linked to the LockBit ransomware group, which also targeted other major financial institutions.
• Bank of America faced additional security concerns due to a separate third-party breach at NCB Management Services, affecting nearly 500,000 customers

4. The PharMerica Data Breach: A Large-Scale Exposure of Patient Data

In March 2023, PharMerica, a leading U.S. pharmacy services provider, suffered a major cyberattack that compromised the personal data of nearly 5.8 million individuals.

The ransomware group Money Message claimed responsibility for the breach, which targeted sensitive patient information, including names, birth dates, Social Security numbers, medication details, and health insurance information.

The attack was part of a larger offensive against PharMerica’s parent company, BrightSpring Health Services.

Key Business Impacts:

• Stolen information included Social Security numbers, health records, and insurance details, significantly increasing risks of identity theft and fraud.

• While PharMerica did not disclose specific financial losses, the pharmaceutical industry’s average breach cost in 2023 was $4.82 million per incident.

Accountability and Legal Consequences:

• PharMerica issued a statement reaffirming its commitment to data security and implemented additional measures to strengthen protections against future cyberattacks.

• Legal and regulatory scrutiny intensified, with industry experts calling for stronger vendor oversight and improved cybersecurity frameworks to prevent similar breaches.

5. FCA Fine Against mako Financial Markets: a Regulatory crackdown

In February 2025, Mako Financial Markets Partnership LLP was fined £1,662,700 by the UK's Financial Conduct Authority (FCA) for breaches of regulatory principles related to financial crime risks in the trading sector. This case highlights the growing scrutiny on financial firms and the importance of strong compliance frameworks.

Key Business Impacts:

• The FCA’s enforcement action reinforces its emphasis on financial crime prevention and risk management in the trading sector

  The £1.6 million fine highlights the financial consequences of failing to meet regulatory obligations.

Accountability and Legal Consequences:

• Mako Financial Markets was penalised for failing to implement adequate controls to mitigate financial crime risks.

• The case underscores the FCA’s willingness to take action even in the absence of specific rule violations, focusing instead on overarching compliance principles.

how to proactively mitigate vendor and contract risk

As regulatory pressures increase and vendor risks become more complex, organisations need a structured approach to managing third-party relationships.

Vendor and contract lifecycle management (VCLM) software provides an end-to-end solution that enables procurement, legal, and compliance teams to mitigate risks, enforce contractual safeguards, and maintain full visibility over vendor and contract lifecycles, as well as third-party risk.

This is achieved through: 

• Vendor Risk Identification & Due Diligence: Conduct thorough risk assessments before onboarding vendors, ensuring compliance with security, financial, and operational standards.
• Automated Compliance & Risk Monitoring: Use AI-powered alerts and continuous tracking to identify potential compliance gaps, contractual risks, or third-party vulnerabilities before they escalate.
• Contract Lifecycle Governance: Ensure vendor agreements include clear security provisions, performance metrics, and regulatory compliance clauses to prevent service failures.Audit & Reporting Capabilities: Maintain a transparent audit trail for vendor activities, security measures, and contract compliance, helping organisations stay ahead of regulatory requirements.Contract Performance Management: Track vendor performance against agreed KPIs and SLAs to ensure accountability and service quality.
• Risk Scoring: Leverage AI-driven insights to assess vendor risks dynamically, prioritising high-risk relationships for greater oversight.
• Automated Renewal & Termination Management: Prevent contract lapses and mitigate risk exposure by managing contract renewals, expirations, and exit strategies efficiently.
• Centralised Vendor & Contract Repository: Maintain a single source of truth for vendor and contract information, streamlining accessibility and compliance reporting.
• Escalation & Issue Resolution Workflows: Automate issue tracking and resolution processes to address vendor-related risks before they escalate into critical failures.
• Real-Time Data Visibility & Insights: Gain actionable insights with dashboards that highlight vendor performance, compliance status, and risk exposure across the supply chain.

By implementing Gatekeeper’s advanced contract and vendor management solutions, your organisation can reduce its exposure to operational disruptions, regulatory penalties, and security breaches. 

Book a demo today to find out more.