French National Bank Registry (FICOBA) 1.2 Million Accounts Exposed

• .What: Unauthorized access to France's national bank account registry using stolen government credentials - no vulnerability exploited, only credential abuse.
• .Who: DGFiP / French Ministry of Economy and Finance. 1.2 million account holders affected. FICOBA holds records on 80 million individuals across 300 million accounts.
• .How: Credential theft - attacker obtained login credentials belonging to a civil servant authorized to access FICOBA through inter-ministerial information exchange channels. No MFA was configured on the account.
• .Data: IBANs, account holder full names, residential addresses, dates of birth, tax identification numbers (partial). Account balances and transaction history were not exposed.
• .Actor: Unknown. No threat actor or group has claimed responsibility. French authorities have not publicly attributed the attack. Attribution confidence: unknown.
• .Impact: 1.2 million accounts exposed (less than 1% of total FICOBA records). Direct financial fraud risk via unauthorized SEPA direct debit mandates. Sustained social engineering risk from combined identity and banking data.

• .January 28, 2026: Attacker begins accessing FICOBA using stolen civil servant credentials.
• .January 28 - February 13, 2026: Unauthorized access continues for 16 consecutive days. The attacker queries the database, accessing records tied to 1.2 million accounts.
• .February 13, 2026: DGFiP's IT team detects the unauthorized access and revokes the compromised credentials, blocking further queries.
• .February 18, 2026: French Ministry of Economy and Finance publicly discloses the breach. CNIL is formally notified. ANSSI engaged for remediation support.
• .February 18-19, 2026: French Banking Federation (FBF) issues public advisory urging account holders to monitor direct debits. Banque de France publishes fraud prevention guidance.
• .Late February 2026: Ministry begins notifying affected individuals via email and postal mail.

On January 28, 2026, an attacker began accessing FICOBA using credentials stolen from a civil servant whose role included querying the registry as part of inter-ministerial information exchanges.

FICOBA is not a public-facing application - it is an internal government database accessible only to authorized officials in tax, customs, law enforcement, and judicial agencies. The attacker did not exploit a software vulnerability.

They simply logged in with valid credentials and queried the system as the legitimate user would have.

The access continued undetected for 16 days. During this period, the attacker queried records tied to approximately 1.2 million bank accounts - less than 1% of the 300 million account records FICOBA holds.

The database functions as an index rather than a full ledger: it maps account holders to their banking institutions and IBANs but does not contain account balances, transaction histories, or passwords.

The attacker accessed IBANs, full names, residential addresses, dates of birth, and in some cases tax identification numbers.

DGFiP's IT team detected the anomalous access pattern on February 13 and immediately revoked the compromised credentials, blocking further queries. The Ministry disclosed the breach publicly on February 18 - five days after detection and 21 days after initial compromise.

CNIL was formally notified. ANSSI was engaged to assist with forensic analysis and system hardening.

This breach occurred against a backdrop of escalating credential-based attacks on French government systems.

Just weeks earlier, the "Choisir le Service Public" recruitment platform was compromised on January 28 through the same vector - stolen manager credentials - exposing 377,418 candidate profiles.

In late 2025, the Interior Ministry suffered a similar breach enabled by the absence of MFA. The French cybersecurity outlet Zataz has suggested infostealer malware may be fueling the multiplication of credential-based attacks against French government systems.

No threat actor or group has publicly claimed responsibility for the FICOBA breach. French authorities have not attributed the attack.

The method - credential theft followed by database querying over an extended period - is consistent with both financially motivated actors seeking data for fraud or resale and state-sponsored espionage operations harvesting financial intelligence.

Without technical artifacts such as malware samples, command-and-control infrastructure, or exfiltration tooling, attribution remains speculative.

The attack pattern is consistent with infostealer-harvested credentials sold on dark web marketplaces - a vector that has fueled multiple French government breaches in late 2025 and early 2026.

• .International Bank Account Numbers (IBANs): Enable initiation of SEPA direct debit mandates if combined with forged creditor documentation. Under SEPA rules, a creditor with a valid Interbank Creditor Identifier (ICS) can initiate debits knowing only the IBAN.
• .Full names: Combined with IBANs and addresses, enable highly targeted social engineering - attackers can pose as the victim's actual bank with accurate account details.
• .Residential addresses: Enable physical fraud (redirected mail, forged documents) and enrich phishing campaigns with geographic specificity.
• .Dates of birth: Combined with names and addresses, these satisfy identity verification requirements at many French institutions.
• .Tax identification numbers (partial): Issued by DGFiP, these are persistent identifiers that cannot be changed. Exposure enables tax fraud and identity theft with the French tax authority.
• .Account balances and transaction histories were NOT exposed. FICOBA functions as an index, not a ledger.

The combination of IBANs, full identity data, and tax identifiers creates a potent fraud toolkit.

The FBF specifically warned that this data enables fraudsters to forge SEPA direct debit mandates, subscribe to services billed to victims' accounts, and conduct social engineering attacks with a level of detail that makes them difficult to distinguish from legitimate bank communications.

1. Credential theft (initial access). The attacker obtained valid credentials belonging to a civil servant with FICOBA access.

The most likely vector, based on the pattern of concurrent French government breaches, is infostealer malware harvesting credentials from the civil servant's device. The stolen credentials provided direct access to FICOBA's inter-ministerial query interface.

2. No multi-factor authentication. The compromised account was protected by a single authentication factor - a password. No MFA, no hardware security key, no certificate-based authentication.

Security researchers described this as "almost surreal negligence" for a system containing the banking details of 80 million individuals. MFA would have rendered the stolen credentials useless.

3. No access anomaly detection. The attacker queried 1.2 million records over 16 days. A civil servant conducting legitimate inter-ministerial queries would access records in targeted, low-volume searches tied to specific cases.

Bulk querying of 1.2 million records over 16 days is an anomalous access pattern that should have triggered automated alerts within hours, not weeks.

4. No query rate limiting or volume thresholds. FICOBA apparently imposed no limits on the number of records a single authenticated session could query.

A government database containing 300 million financial records should enforce per-session, per-day, and per-user query volume caps with mandatory escalation when thresholds are exceeded.

5. No privileged access monitoring. Access to a database of this sensitivity - every bank account in France - should be subject to real-time session recording, behavioral analytics, and mandatory audit logging with automated review.

The 16-day dwell time indicates that either logging was absent, logs were not reviewed, or no automated alerting was configured.

6. Delayed detection and disclosure. The attacker operated for 16 days before detection. The Ministry waited five additional days before public disclosure.

GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach.

• .GDPR Article 5(1)(f) - Integrity and Confidentiality Principle: The DGFiP failed to ensure appropriate security of personal data, including protection against unauthorized access. Single-factor authentication on a database containing 300 million financial records is a clear violation.

• .GDPR Article 32 - Security of Processing: The absence of MFA, access anomaly detection, and query rate limiting on a system of this scale and sensitivity constitutes a failure to implement technical and organizational measures appropriate to the risk. The CNIL fined France Travail EUR 5 million in January 2026 for nearly identical failures - insufficient authentication strength on accounts that led to a breach affecting 43 million individuals.

• .GDPR Article 33 - Notification to Supervisory Authority: Requires notification within 72 hours of awareness. The Ministry detected the breach on February 13 and disclosed publicly on February 18 - five days later. The timing of CNIL notification relative to detection has not been publicly confirmed.

• .GDPR Article 34 - Communication to Data Subject: Required when a breach is likely to result in a high risk to individuals' rights and freedoms. Exposure of IBANs, tax IDs, and identity data enabling direct debit fraud clearly meets this threshold. The Ministry has begun individual notifications.

• .French Data Protection Act (Loi Informatique et Libertes): Supplements GDPR with specific provisions for government data processing. The CNIL has enforcement authority over public sector entities, though fines against government bodies flow back to the Treasury - creating a structural accountability gap.

• .CNIL Enforcement Precedent: In January 2026, the CNIL fined France Travail EUR 5 million for a breach caused by insufficient authentication on government-connected accounts. The FICOBA breach involves the same failure pattern - credential theft enabled by absent MFA - applied to an even more sensitive database. Fine exposure under GDPR: up to EUR 20 million or 4% of annual global turnover. For a government entity, the CNIL typically applies fines in the single-digit millions, but the sensitivity of financial data and the scale of 1.2 million records could push enforcement toward the upper range.

• .PSD2 / Payment Services Directive (EU): While FICOBA is a government registry rather than a payment service, the exposure of IBANs at scale creates downstream liability for payment service providers who process fraudulent SEPA direct debits initiated with stolen data.

• .French Criminal Code - Article 323-1 et seq.: Unauthorized access to an automated data processing system carries penalties of up to five years imprisonment and EUR 150,000 in fines.

1. Deploy Phishing-Resistant MFA for All FICOBA Access - Every account with access to FICOBA should require FIDO2 hardware security keys or certificate-based authentication.

Password-only authentication on a database containing the banking details of 80 million individuals is indefensible. This single control would have prevented the entire breach.

2. Implement Query Volume Thresholds and Rate Limiting - Enforce per-user, per-session, and per-day query limits with automatic account lockout and mandatory escalation when thresholds are exceeded.

A civil servant querying 1.2 million records over 16 days should have been flagged and blocked after the first anomalous day.

3. Deploy Real-Time Access Anomaly Detection - Implement behavioral analytics on all FICOBA access sessions. Baseline normal query patterns per user role and alert on deviations - volume spikes, off-hours access, geographic anomalies, bulk data retrieval.

4. Enforce Privileged Access Workstations - Restrict FICOBA access to dedicated, hardened government workstations on trusted network segments.

Block access from personal devices, home networks, and unmanaged endpoints where infostealer malware is most likely to harvest credentials.

5. Credential Monitoring for Government Accounts - Continuously monitor dark web credential marketplaces and infostealer log databases for compromised government credentials.

The pattern of concurrent French government breaches in late 2025 and early 2026 suggests systematic credential harvesting that should have triggered proactive credential rotation.

6. Enforce the Principle of Least Privilege - Review and restrict inter-ministerial FICOBA access to the minimum necessary records for each authorized role. No single civil servant account should be capable of querying 1.2 million records without triggering an approval workflow.

Help Net Security, BleepingComputer, The Record, SecurityWeek, CPO Magazine, Security Boulevard, eSecurity Planet, American Banker, Cybernews, TechRadar, Connexion France, Threat Intel Report, Rescana, CNIL, French Ministry of Economy (economie.gouv.fr), Banque de France, French Banking Federation (FBF), Banque des Territoires