France National Bank Account Registry Breach (2026)

In early 2026, France experienced a significant data breach involving its national bank account registry, known as FICOBA (Fichier National des Comptes Bancaires). This centralized database, managed by the Direction Générale des Finances Publiques (DGFiP) under the Ministry of the Economy, Finance, and Industrial and Digital Sovereignty, tracks all bank accounts opened in French financial institutions—totaling over 300 million records.

What Happened

The breach was disclosed by the French Ministry on February 18, 2026 (with some reports citing February 19). It began in late January 2026, when a malicious actor (described as an "acteur malveillant") gained unauthorized access.The attacker did not exploit a technical vulnerability in the database itself but instead used stolen login credentials belonging to a legitimate civil servant (a government official). This individual had authorized access to FICOBA through interministerial information-sharing platforms. By impersonating or using these credentials, the intruder was able to query and view portions of the database for several days before the intrusion was detected internally.Once discovered, authorities immediately restricted access, contained the breach, and implemented measures to prevent further unauthorized activity. A criminal complaint was filed, and the incident was reported to France's data protection authority, the CNIL (Commission Nationale de l'Informatique et des Libertés).

What Data Was Exposed

The compromised data affected approximately 1.2 million bank accounts. Exposed information included:

• International Bank Account Numbers (IBANs) or RIB (Relevé d'Identité Bancaire) details

• Account holder's full name (first and last)

• Residential address

• In some cases, the account holder's tax identification number (numéro fiscal)

Importantly, sensitive details such as account balances, transaction histories, or full banking operation logs were not accessed or exposed, according to official statements.

Potential Risks and Impacts

This type of data is highly valuable for cybercriminals. Exposed IBANs combined with personal details (names and addresses) can facilitate:

• SEPA direct debit fraud (unauthorized withdrawals in the Eurozone)

• Targeted phishing scams or impersonation attacks

• Identity theft

• Further social engineering efforts

French authorities noted that "numerous" scams had already been reported in connection with the breach shortly after disclosure. Affected individuals were to be notified individually, and banks were instructed to heighten vigilance and advise customers to watch for suspicious activity, unusual messages, or requests.

Response and Aftermath

• The DGFiP, ANSSI (France's National Cybersecurity Agency), and other government teams mobilized to investigate and strengthen system security.

• No evidence suggests the full database (300+ million accounts) was compromised—only a limited subset was accessed.

• This incident occurred amid other high-profile French data breaches in early 2026, including a separate health records leak affecting millions, highlighting broader concerns about government-held sensitive data.

The breach underscores risks from credential theft and insider-like access in centralized national systems, rather than sophisticated hacking of fortified databases. It serves as a reminder for robust multi-factor authentication, monitoring of privileged accounts, and rapid detection in public sector IT environments.