Unauthorized Access to France’s FICOBA Bank Account Registry Exposes 1.2 Million Accounts
France’s Ministry of the Economy and Finance confirmed that an attacker accessed and consulted data tied to ~1.2 million French bank accounts by using stolen login credentials belonging to an authorized government user of the national bank account registry (FICOBA). The intrusion began in late January 2026 and exposed account-linked personal data including IBANs, account holder names, addresses, and in some cases tax identification numbers (DGFiP-issued). Authorities stated the access did not enable viewing balances or initiating transactions.
After detection, the ministry reported it blocked the attacker, notified France’s data protection authority (CNIL), and filed a criminal complaint; impacted individuals are expected to be contacted directly, and banks were alerted to advise customers to remain vigilant. Reporting noted the incident follows other recent cyber disruptions affecting French public services (including attacks impacting La Poste/La Banque Postale and the Interior Ministry), though no motive or attribution for the FICOBA access has been publicly confirmed.
Timeline
Apr 7, 2026
Threat actor advertises alleged FICOBA dataset for sale
On 2026-04-07, a threat actor using the name "bestdata" was reported to be offering for sale a dataset allegedly containing 1.2 million French FICOBA-related records. The listing claimed data from more than 15 financial institutions and included sensitive identity and banking fields such as IBANs, tax identifiers, and other personal details.
Feb 18, 2026
CNIL notified and criminal complaint filed over registry breach
Following the discovery and disclosure of the incident, French authorities notified the CNIL data protection authority and filed a criminal complaint. Banks and affected individuals were also being alerted about the exposure and related fraud risks.
Feb 18, 2026
French Ministry discloses FICOBA breach affecting 1.2 million accounts
On 2026-02-18, the French Ministry of the Economy publicly confirmed the breach of the national bank account database. It said exposed data included IBANs or account numbers, names, addresses, and in some cases tax identification numbers.
Feb 15, 2026
French authorities detect and contain the FICOBA intrusion
By mid-February 2026, the French Economy Ministry and DGFiP detected the unauthorized access, blocked the attacker, revoked the compromised credentials, and took steps to prevent data removal. Authorities said the accessed system did not allow viewing balances or conducting transactions.
Jan 31, 2026
Intruder accesses FICOBA using stolen civil servant credentials
In late January 2026, an attacker used compromised credentials belonging to an authorized government official to access France’s FICOBA national bank account registry. The unauthorized access exposed records tied to about 1.2 million bank accounts.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
Related Stories
French FICOBA Bank Account Registry Accessed Using Stolen Government Credentials
French authorities confirmed unauthorized access to **FICOBA**, the national registry of bank accounts, after an attacker used **stolen credentials belonging to a government official** to view records tied to roughly **1.2 million** accounts. Exposed data reportedly included account numbers and account-holder identity details (names, addresses, and in some cases tax identification numbers), while **balances and transaction histories were not accessed**; officials said the access was detected and blocked quickly and that affected individuals would be notified. A criminal complaint was filed and the incident was reported to **CNIL** (France’s data protection authority). Reporting also indicated the government described the incident as involving data “stolen” from the repository, though other accounts emphasized that access was interrupted before exfiltration could occur, leaving the precise extent of data removal unclear. The incident highlights the risk of credential compromise for privileged government access to sensitive financial registries and the downstream exposure of identity-linked banking metadata that can enable targeted fraud and social engineering even without transaction data.
1 months ago
Data exposures tied to third-party access and credential misuse in Ukraine and France
Ukraine’s National Bank (NBU) took its **collectible coin/numismatic online store** offline after a cyberattack against a supporting **contractor** potentially exposed customer registration data (names, phone numbers, emails, and delivery addresses). The NBU said **core banking systems were not affected** and **no payment card or banking data** was compromised, but warned the exposed PII could be leveraged for **phishing** and other follow-on fraud; the incident was described as consistent with a **supply-chain** intrusion path. In France, authorities disclosed illegal access to a portion of the **National Bank Accounts File (FICOBA)**—a government database used for tax, customs, and law-enforcement purposes—after an attacker **impersonated a civil servant** and used valid credentials to query data. Officials said up to **1.2 million accounts** may have been impacted, with exposed fields potentially including account numbers, names, addresses, and in some cases tax identifiers; **DGFiP**, supported by **ANSSI**, is investigating and notifying affected individuals while banks were alerted to heighten fraud/phishing monitoring. Separately, **Safran Group** denied being cyberattacked, stating that a leaked dataset containing “non-strategic” order/customer details was **inadvertently exposed via a third-party provider**, with external analysis suggesting the compromise occurred elsewhere in the supply chain rather than within Safran’s own systems.
1 months ago
French Telecom and Retail Breaches Expose Millions of Customer Records
French telecommunications provider **Bouygues Telecom** disclosed a cyberattack that led to the exposure of nearly **6.4 million customer records**, including **5.7 million unique email addresses**. The compromised data reportedly included names, physical addresses, phone numbers, dates of birth, and **IBANs**, raising concerns about fraud and financial abuse. The company said affected customers were notified after detecting the intrusion into its services. French electronics retailer **Boulanger** also suffered a major breach in which more than **27 million rows of data** were exposed, including **2 million unique email addresses**. The leaked information reportedly included names, physical addresses, phone numbers, and even **latitude and longitude** data. Unlike the Bouygues incident, the stolen Boulanger dataset was later posted publicly on a hacking forum, significantly increasing the likelihood of downstream misuse, phishing, and identity-related abuse.
1 months ago