Data exposures tied to third-party access and credential misuse in Ukraine and France
Ukraine’s National Bank (NBU) took its collectible coin/numismatic online store offline after a cyberattack against a supporting contractor potentially exposed customer registration data (names, phone numbers, emails, and delivery addresses). The NBU said core banking systems were not affected and no payment card or banking data was compromised, but warned the exposed PII could be leveraged for phishing and other follow-on fraud; the incident was described as consistent with a supply-chain intrusion path.
In France, authorities disclosed illegal access to a portion of the National Bank Accounts File (FICOBA)—a government database used for tax, customs, and law-enforcement purposes—after an attacker impersonated a civil servant and used valid credentials to query data. Officials said up to 1.2 million accounts may have been impacted, with exposed fields potentially including account numbers, names, addresses, and in some cases tax identifiers; DGFiP, supported by ANSSI, is investigating and notifying affected individuals while banks were alerted to heighten fraud/phishing monitoring. Separately, Safran Group denied being cyberattacked, stating that a leaked dataset containing “non-strategic” order/customer details was inadvertently exposed via a third-party provider, with external analysis suggesting the compromise occurred elsewhere in the supply chain rather than within Safran’s own systems.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
NBU says contractor breach did not affect core banking systems or card data
On February 20, 2026, the NBU stated that the incident was limited to the contractor environment, with network isolation preventing impact to core systems, and said payment card data and other banking information were not compromised.
Ukraine's central bank takes collectible coin store offline after contractor breach
The National Bank of Ukraine took its online store for collectible coins and numismatic products offline after a cyberattack on a supporting contractor potentially exposed customer names, phone numbers, email addresses, and delivery addresses.
France notifies CNIL, alerts banks, and prepares to contact affected individuals
Following disclosure of the FICOBA incident, authorities notified the CNIL, warned banks about possible fraud and phishing risks, and said affected individuals would be informed while ANSSI and finance ministry teams supported the investigation.
France discloses FICOBA breach affecting up to 1.2 million accounts
On or before February 19, 2026, the French government disclosed that unauthorized access to FICOBA may have exposed data linked to up to 1.2 million bank accounts, including names, addresses, account numbers, IBANs, and in some cases tax identification numbers.
French authorities detect FICOBA breach and restrict access
After detecting the malicious activity internally, French authorities took measures to limit the attacker's access and began restoration and security-hardening work on affected FICOBA systems.
Attackers begin unauthorized access to France's FICOBA database
In late January 2026, a threat actor used credentials stolen from a civil servant to impersonate an authorized user and query part of France's national bank account database, FICOBA, via an interministerial information exchange.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Hackers breach contractor linked to Ukraine’s central bank collectible coin store | The Record from Recorded Future News
therecord.media
Open sourceA single compromised account gave hackers access to 1.2 million French banking records - DataBreaches.Net
databreaches.net
Open sourceData breach at French bank registry impacts 1.2 million accounts
bleepingcomputer.com
Open sourceAttackers breach France’s national bank account database | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unauthorized Access to France’s FICOBA Bank Account Registry Exposes 1.2 Million Accounts
France’s Ministry of the Economy and Finance confirmed that an attacker **accessed and consulted data tied to ~1.2 million French bank accounts** by using **stolen login credentials** belonging to an authorized government user of the national bank account registry (*FICOBA*). The intrusion began in **late January 2026** and exposed account-linked personal data including **IBANs**, account holder **names**, **addresses**, and in some cases **tax identification numbers** (DGFiP-issued). Authorities stated the access did **not** enable viewing balances or initiating transactions. After detection, the ministry reported it **blocked the attacker**, notified France’s data protection authority (**CNIL**), and **filed a criminal complaint**; impacted individuals are expected to be contacted directly, and **banks were alerted** to advise customers to remain vigilant. Reporting noted the incident follows other recent cyber disruptions affecting French public services (including attacks impacting **La Poste/La Banque Postale** and the **Interior Ministry**), though no motive or attribution for the FICOBA access has been publicly confirmed.
Apr 7, 2026
French FICOBA Bank Account Registry Accessed Using Stolen Government Credentials
French authorities confirmed unauthorized access to **FICOBA**, the national registry of bank accounts, after an attacker used **stolen credentials belonging to a government official** to view records tied to roughly **1.2 million** accounts. Exposed data reportedly included account numbers and account-holder identity details (names, addresses, and in some cases tax identification numbers), while **balances and transaction histories were not accessed**; officials said the access was detected and blocked quickly and that affected individuals would be notified. A criminal complaint was filed and the incident was reported to **CNIL** (France’s data protection authority). Reporting also indicated the government described the incident as involving data “stolen” from the repository, though other accounts emphasized that access was interrupted before exfiltration could occur, leaving the precise extent of data removal unclear. The incident highlights the risk of credential compromise for privileged government access to sensitive financial registries and the downstream exposure of identity-linked banking metadata that can enable targeted fraud and social engineering even without transaction data.
Mar 21, 2026
Multiple Data Exposure and Breach Reports Involving French Citizens, Victorian Students, and Alleged PayPal Credentials
Security researchers reported a large, publicly exposed database on an open cloud server containing **tens of millions of French citizen records** aggregated from at least five prior breaches, including voter data, healthcare entries, CRM contacts, financial profiles (including **IBANs/BICs**), and vehicle-related information. The dataset appears to have been compiled to increase resale value and enable identity cross-linking, elevating risks of **phishing, fraud, and identity theft**. Separately, Australia’s **Victorian Department of Education** notified parents that an unauthorized party accessed a student database containing names, school names, year levels, school-issued email addresses, and **encrypted passwords**, prompting a forced password reset and temporary account access disruption; the department stated more sensitive fields (e.g., home addresses, phone numbers) were not exposed and investigators had not confirmed public release. In another unrelated report, researchers questioned the veracity of a newly claimed **PayPal** breach, assessing a ~100,000-record credential “combolist” as likely **outdated infostealer-log data** rather than evidence of a fresh PayPal compromise, noting PayPal’s prior refutation of similar claims and the practical barriers posed by MFA.
Mar 21, 2026