In late January 2026, a malicious intruder accessed France’s national bank account registry, FICOBA, enabling them to view information tied to 1.2 million accounts, the Ministry of the Economy and Finance disclosed on Wednesday.
TV5 Monde reported that the perpetrator (or perpetrators) obtained login credentials belonging to a civil cervant authorized to use the database and then used those credentials to explore its contents.
They managed to access bank account information and related personal data: the international bank account number (IBAN), the holder’s first and last name, their address and, in some cases, the holder’s tax identification number issued by the Directorate-General for Public Finance (DGFiP).
The Ministry of the Economy said impacted individuals will be contacted directly in the coming days, adding that banks have also been alerted so they can advise customers to remain vigilant.
The authorities have notified the French data protection authority (CNIL) about the incident and have filed a criminal complaint.
This incidents comes two months after a DDoS attack that disrupted the websites, mobile apps, and (partially) the delivery network of the French postal service (La Poste) and its subsidiary La Banque Postale, and a cyber attack that resulted in the compromise of email servers at the French Ministry of the Interior.
In March 2024, attackers breached France Travail, the French national unemployment agency, and Cap emploi, a government employment service for people with disabilities, and accessed data of jobseekers that registered with the agencies in the last 20 years.
How can the accessed information be misused?
The DGFiP said that the information accessed in this latest breach would not allow threat actors to check the bank accounts’ balance or to initiate transactions.
The French Banking Federation (FBF) confirmed that that info is not sufficient to allow fraudsters to make a transfer or payment by card.
However, it could enable fraudsters posing as legitimate creditors to request direct debit payments, provided they are registered with a payment service provider as authorized debit issuers and are able to forge debit mandates (typically used for expenses such as utility bills or loan repayments).
“Fraudsters can also subscribe to subscriptions and services that would be paid for by debiting this illegally obtained IBAN. The fraudster thus benefits from real services paid for by the person whose IBAN was stolen,” the FBF explained.
The banking federation advised all bank account holders to:
- Check their accounts and listed transactions weekly and notify banks if they spot suspicious transactions
- Monitor the direct debit transactions debited from their account (and dispute fraudulent ones within eight weeks)
- Be on the lookout for social engineering attacks in which attackers leverage the obtained account and personal information to impersonate bankers to trick users into divulging usernames, passwords, and safety codes.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
