Data exposures tied to third-party access and credential misuse in Ukraine and France
Ukraine’s National Bank (NBU) took its collectible coin/numismatic online store offline after a cyberattack against a supporting contractor potentially exposed customer registration data (names, phone numbers, emails, and delivery addresses). The NBU said core banking systems were not affected and no payment card or banking data was compromised, but warned the exposed PII could be leveraged for phishing and other follow-on fraud; the incident was described as consistent with a supply-chain intrusion path.
In France, authorities disclosed illegal access to a portion of the National Bank Accounts File (FICOBA)—a government database used for tax, customs, and law-enforcement purposes—after an attacker impersonated a civil servant and used valid credentials to query data. Officials said up to 1.2 million accounts may have been impacted, with exposed fields potentially including account numbers, names, addresses, and in some cases tax identifiers; DGFiP, supported by ANSSI, is investigating and notifying affected individuals while banks were alerted to heighten fraud/phishing monitoring. Separately, Safran Group denied being cyberattacked, stating that a leaked dataset containing “non-strategic” order/customer details was inadvertently exposed via a third-party provider, with external analysis suggesting the compromise occurred elsewhere in the supply chain rather than within Safran’s own systems.
Timeline
Feb 20, 2026
NBU says contractor breach did not affect core banking systems or card data
On February 20, 2026, the NBU stated that the incident was limited to the contractor environment, with network isolation preventing impact to core systems, and said payment card data and other banking information were not compromised.
Feb 20, 2026
Ukraine's central bank takes collectible coin store offline after contractor breach
The National Bank of Ukraine took its online store for collectible coins and numismatic products offline after a cyberattack on a supporting contractor potentially exposed customer names, phone numbers, email addresses, and delivery addresses.
Feb 19, 2026
France notifies CNIL, alerts banks, and prepares to contact affected individuals
Following disclosure of the FICOBA incident, authorities notified the CNIL, warned banks about possible fraud and phishing risks, and said affected individuals would be informed while ANSSI and finance ministry teams supported the investigation.
Feb 19, 2026
France discloses FICOBA breach affecting up to 1.2 million accounts
On or before February 19, 2026, the French government disclosed that unauthorized access to FICOBA may have exposed data linked to up to 1.2 million bank accounts, including names, addresses, account numbers, IBANs, and in some cases tax identification numbers.
Feb 19, 2026
French authorities detect FICOBA breach and restrict access
After detecting the malicious activity internally, French authorities took measures to limit the attacker's access and began restoration and security-hardening work on affected FICOBA systems.
Jan 28, 2026
Attackers begin unauthorized access to France's FICOBA database
In late January 2026, a threat actor used credentials stolen from a civil servant to impersonate an authorized user and query part of France's national bank account database, FICOBA, via an interministerial information exchange.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
Unauthorized Access to France’s FICOBA Bank Account Registry Exposes 1.2 Million Accounts
France’s Ministry of the Economy and Finance confirmed that an attacker **accessed and consulted data tied to ~1.2 million French bank accounts** by using **stolen login credentials** belonging to an authorized government user of the national bank account registry (*FICOBA*). The intrusion began in **late January 2026** and exposed account-linked personal data including **IBANs**, account holder **names**, **addresses**, and in some cases **tax identification numbers** (DGFiP-issued). Authorities stated the access did **not** enable viewing balances or initiating transactions. After detection, the ministry reported it **blocked the attacker**, notified France’s data protection authority (**CNIL**), and **filed a criminal complaint**; impacted individuals are expected to be contacted directly, and **banks were alerted** to advise customers to remain vigilant. Reporting noted the incident follows other recent cyber disruptions affecting French public services (including attacks impacting **La Poste/La Banque Postale** and the **Interior Ministry**), though no motive or attribution for the FICOBA access has been publicly confirmed.
3 weeks ago
French FICOBA Bank Account Registry Accessed Using Stolen Government Credentials
French authorities confirmed unauthorized access to **FICOBA**, the national registry of bank accounts, after an attacker used **stolen credentials belonging to a government official** to view records tied to roughly **1.2 million** accounts. Exposed data reportedly included account numbers and account-holder identity details (names, addresses, and in some cases tax identification numbers), while **balances and transaction histories were not accessed**; officials said the access was detected and blocked quickly and that affected individuals would be notified. A criminal complaint was filed and the incident was reported to **CNIL** (France’s data protection authority). Reporting also indicated the government described the incident as involving data “stolen” from the repository, though other accounts emphasized that access was interrupted before exfiltration could occur, leaving the precise extent of data removal unclear. The incident highlights the risk of credential compromise for privileged government access to sensitive financial registries and the downstream exposure of identity-linked banking metadata that can enable targeted fraud and social engineering even without transaction data.
1 months ago
Multiple Data Exposure and Breach Reports Involving French Citizens, Victorian Students, and Alleged PayPal Credentials
Security researchers reported a large, publicly exposed database on an open cloud server containing **tens of millions of French citizen records** aggregated from at least five prior breaches, including voter data, healthcare entries, CRM contacts, financial profiles (including **IBANs/BICs**), and vehicle-related information. The dataset appears to have been compiled to increase resale value and enable identity cross-linking, elevating risks of **phishing, fraud, and identity theft**. Separately, Australia’s **Victorian Department of Education** notified parents that an unauthorized party accessed a student database containing names, school names, year levels, school-issued email addresses, and **encrypted passwords**, prompting a forced password reset and temporary account access disruption; the department stated more sensitive fields (e.g., home addresses, phone numbers) were not exposed and investigators had not confirmed public release. In another unrelated report, researchers questioned the veracity of a newly claimed **PayPal** breach, assessing a ~100,000-record credential “combolist” as likely **outdated infostealer-log data** rather than evidence of a fresh PayPal compromise, noting PayPal’s prior refutation of similar claims and the practical barriers posed by MFA.
1 months ago