Unauthorized Access to France’s FICOBA Bank Account Registry Exposes 1.2 Million Accounts
France’s Ministry of the Economy and Finance confirmed that an attacker accessed and consulted data tied to ~1.2 million French bank accounts by using stolen login credentials belonging to an authorized government user of the national bank account registry (FICOBA). The intrusion began in late January 2026 and exposed account-linked personal data including IBANs, account holder names, addresses, and in some cases tax identification numbers (DGFiP-issued). Authorities stated the access did not enable viewing balances or initiating transactions.
After detection, the ministry reported it blocked the attacker, notified France’s data protection authority (CNIL), and filed a criminal complaint; impacted individuals are expected to be contacted directly, and banks were alerted to advise customers to remain vigilant. Reporting noted the incident follows other recent cyber disruptions affecting French public services (including attacks impacting La Poste/La Banque Postale and the Interior Ministry), though no motive or attribution for the FICOBA access has been publicly confirmed.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Threat actor advertises alleged FICOBA dataset for sale
On 2026-04-07, a threat actor using the name "bestdata" was reported to be offering for sale a dataset allegedly containing 1.2 million French FICOBA-related records. The listing claimed data from more than 15 financial institutions and included sensitive identity and banking fields such as IBANs, tax identifiers, and other personal details.
CNIL notified and criminal complaint filed over registry breach
Following the discovery and disclosure of the incident, French authorities notified the CNIL data protection authority and filed a criminal complaint. Banks and affected individuals were also being alerted about the exposure and related fraud risks.
French Ministry discloses FICOBA breach affecting 1.2 million accounts
On 2026-02-18, the French Ministry of the Economy publicly confirmed the breach of the national bank account database. It said exposed data included IBANs or account numbers, names, addresses, and in some cases tax identification numbers.
French authorities detect and contain the FICOBA intrusion
By mid-February 2026, the French Economy Ministry and DGFiP detected the unauthorized access, blocked the attacker, revoked the compromised credentials, and took steps to prevent data removal. Authorities said the accessed system did not allow viewing balances or conducting transactions.
Intruder accesses FICOBA using stolen civil servant credentials
In late January 2026, an attacker used compromised credentials belonging to an authorized government official to access France’s FICOBA national bank account registry. The unauthorized access exposed records tied to about 1.2 million bank accounts.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Threat Actor Selling 1.2 Million French FICOBA Banking Leads With IBANs, SSNs, and Tax IDs From 15+ Banks
darkwebinformer.com
Open sourceData on 1.2 million French bank accounts accessed in registry breach - Help Net Security
helpnetsecurity.com
Open sourceFrench FICOBA Bank Account Database Breach Exposes Data of 1.2 Million Accounts: February 2026 Incident Analysis
rescana.com
Open sourceFrench Ministry confirms data access to 1.2 Million bank accounts
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
French FICOBA Bank Account Registry Accessed Using Stolen Government Credentials
French authorities confirmed unauthorized access to **FICOBA**, the national registry of bank accounts, after an attacker used **stolen credentials belonging to a government official** to view records tied to roughly **1.2 million** accounts. Exposed data reportedly included account numbers and account-holder identity details (names, addresses, and in some cases tax identification numbers), while **balances and transaction histories were not accessed**; officials said the access was detected and blocked quickly and that affected individuals would be notified. A criminal complaint was filed and the incident was reported to **CNIL** (France’s data protection authority). Reporting also indicated the government described the incident as involving data “stolen” from the repository, though other accounts emphasized that access was interrupted before exfiltration could occur, leaving the precise extent of data removal unclear. The incident highlights the risk of credential compromise for privileged government access to sensitive financial registries and the downstream exposure of identity-linked banking metadata that can enable targeted fraud and social engineering even without transaction data.
Mar 21, 2026
Data exposures tied to third-party access and credential misuse in Ukraine and France
Ukraine’s National Bank (NBU) took its **collectible coin/numismatic online store** offline after a cyberattack against a supporting **contractor** potentially exposed customer registration data (names, phone numbers, emails, and delivery addresses). The NBU said **core banking systems were not affected** and **no payment card or banking data** was compromised, but warned the exposed PII could be leveraged for **phishing** and other follow-on fraud; the incident was described as consistent with a **supply-chain** intrusion path. In France, authorities disclosed illegal access to a portion of the **National Bank Accounts File (FICOBA)**—a government database used for tax, customs, and law-enforcement purposes—after an attacker **impersonated a civil servant** and used valid credentials to query data. Officials said up to **1.2 million accounts** may have been impacted, with exposed fields potentially including account numbers, names, addresses, and in some cases tax identifiers; **DGFiP**, supported by **ANSSI**, is investigating and notifying affected individuals while banks were alerted to heighten fraud/phishing monitoring. Separately, **Safran Group** denied being cyberattacked, stating that a leaked dataset containing “non-strategic” order/customer details was **inadvertently exposed via a third-party provider**, with external analysis suggesting the compromise occurred elsewhere in the supply chain rather than within Safran’s own systems.
Mar 21, 2026
France Titres Breach Exposed Up to 19 Million Identity Records
France Titres, the French agency formerly known as ANTS and responsible for identity and registration documents, confirmed a breach of its `ants.gouv.fr` portal after threat actor **breach3d** advertised a trove of stolen records for sale on cybercrime forums. The agency said the compromised data may include login IDs, full names, email addresses, dates and places of birth, account identifiers, and in some cases postal addresses and phone numbers from both individual and professional accounts. Other reporting on the sale listings said the dataset could contain 18 million to 19 million records, including fields indicating government-verified identities, raising the risk of phishing, social engineering, and identity fraud if the claims are fully accurate. French authorities said unusual activity was identified in mid-April and launched parallel technical and judicial investigations involving **ANSSI**, **CNIL**, the Paris Public Prosecutor, and anti-cybercrime investigators. Prosecutors later announced the arrest of a 15-year-old suspect in connection with the case after records linked to the agency were allegedly offered for sale online, and said the inquiry covers unauthorized access, persistence, and extraction of personal data from a state-operated system. France Titres has notified affected individuals and said the stolen information does not provide direct access to user accounts or the portal itself, while warning citizens to remain alert for follow-on scams and impersonation attempts.
May 25, 2026