TL;DR: An attacker stole credentials from a French civil servant and used them to access FICOBA, France's national registry of every bank account in the country. They queried data on 1.2 million accounts out of a database covering 80+ million people. The breach happened in late January 2026 but wasn't disclosed until February 19. Exposed data includes IBANs, names, addresses, and some tax IDs. The government says attackers can't drain accounts directly, but they can set up fraudulent direct debits.

What Is FICOBA?

FICOBA (Fichier national des comptes bancaires et assimilés) is France's master list of bank accounts. Every account opened in a French bank gets logged here.[1]

The database is maintained by the Direction Générale des Finances Publiques (DGFiP), France's tax authority. It contains records on over 300 million accounts linked to more than 80 million individuals.[2]

Government officials, tax investigators, and some interministerial systems have authorized access. That's exactly what made this breach possible.

How the Attacker Got In

The Ministry of Economy and Finance disclosed the breach on February 19, 2026. Their explanation: an attacker "impersonated a civil servant whose credentials allowed access as part of interministerial information exchanges."[1]

Translation: someone stole a government employee's login and used it to browse the database.

The breach started in late January 2026. How the credentials were stolen hasn't been disclosed: phishing, infostealer malware, or credential stuffing could all apply. The government isn't saying.

What we know: the attacker queried roughly 1.2 million accounts before authorities detected the activity and cut off access.[2]

What Data Was Exposed

For each of the 1.2 million accessed accounts:

  • IBANs: Full international bank account numbers
  • Account holder names: First and last name
  • Addresses: Physical address on file
  • Tax ID numbers: In some cases

The database doesn't store account balances or allow transactions. That's the good news.

The bad news: IBANs + names + addresses is exactly what you need for direct debit fraud.

The Direct Debit Problem

French authorities are downplaying the risk. The Ministry says the stolen data "does not allow threat actors to check the bank accounts' balance or to initiate transactions."[3]

The French Banking Federation (FBF) echoed that: "This info is not sufficient to allow fraudsters to make a transfer or payment by card."[3]

Here's what they're glossing over: SEPA direct debits work differently.

With a valid IBAN and account holder details, an attacker who registers as a creditor with a payment service provider can:

  • Forge direct debit mandates
  • Subscribe victims to services they never signed up for
  • Charge recurring fees to stolen accounts

The victim gets a charge on their statement. They dispute it. The money eventually comes back, but it takes time, paperwork, and the attacker might have already cashed out.

Social engineering gets easier too. If someone calls you, knows your name, address, and bank details, and claims to be from your bank, how do you know they're not?

Government Response

The government says it:

  • Cut access immediately: Once the breach was detected
  • Notified CNIL: France's data protection authority
  • Filed criminal charges: Investigation ongoing
  • Alerted banks: To warn customers about potential fraud

Affected individuals should receive direct notification by February 24, 2026.[2]

Here's the catch: 1.2 million people need to be notified. That's a lot of letters. If you have a French bank account, don't wait for official word before taking precautions.

France's Data Protection Problem

This isn't France's first major government data breach this year.

In early 2026, France disclosed that 45 million records were exposed across voter registration and healthcare systems. That breach involved names, addresses, national ID numbers, and health data.[4]

Now the bank registry. Combined, French authorities have exposed data touching nearly half the country's population in the past two months.

The pattern: government databases with weak access controls, civil servant credentials that get stolen, and slow disclosure after the fact.

France's ANSSI (national cybersecurity agency) and finance ministry cybersecurity teams are investigating. But hardening these systems after a breach is closing the barn door.

What You Should Do

If you have a French bank account:

  • Watch for unexpected direct debits: Check statements weekly, not monthly
  • Set up transaction alerts: Most French banks offer SMS or app notifications for debits
  • Be skeptical of calls: Your bank won't ask you to confirm IBAN details over the phone
  • Don't click links in "fraud alert" emails: Phishing will spike as attackers exploit the news
  • Consider a SEPA direct debit whitelist: Some banks let you restrict which creditors can debit your account

If you receive official notification from French authorities, follow their instructions but verify the letter is real before calling any phone numbers it provides.

The Bottom Line

A single stolen government credential gave an attacker access to data on 1.2 million French bank accounts. The national bank registry (supposed to be restricted to authorized officials) got browsed like a phone book.

This is what happens when centralized databases hold sensitive data on millions of people with access controls that boil down to a username and password.

France isn't unique. Every country has these databases. The question isn't whether they'll get breached. It's when.

References

  1. The Record - Attackers Breach France's National Bank Account Database (February 2026)
  2. Help Net Security - FICOBA Data Breach Affects 1.2 Million French Bank Accounts (February 2026)
  3. Connexion France - More Than a Million People Hit by Bank Account Data Breach (February 2026)
  4. Security Week - French Government Says 1.2 Million Bank Accounts Exposed (February 2026)