Stolen Government Credentials Used to Access Data of 1.2 Million French Bank Accounts

Attackers stole credentials from a French government official to gain access to a national banking database containing personal details of up to 1.2 million account holders, in a breach that highlights critical vulnerabilities in government data protection systems. The sophisticated compromise targeted France's FICOBA database—a comprehensive registry of all bank accounts opened in the country—allowing unauthorized viewing of sensitive information including names, IBANs, and in some cases, tax identification numbers.

The breach, which occurred in late January 2026 and persisted for several days, prompted the French government to announce plans for direct notification of affected individuals. Security experts warn the stolen data could fuel sophisticated phishing campaigns and financial fraud schemes targeting French citizens.

Background and Context

The FICOBA (Fichier des Comptes Bancaires) database serves as France's central repository for bank account information, maintained by tax authorities to combat financial crime and ensure regulatory compliance. Its comprehensive nature—containing details of virtually every bank account in France—makes it an especially high-value target for criminal networks seeking to exploit personal financial data for fraudulent purposes.

The breach demonstrates how traditional security models, which often grant broader access privileges based on seniority rather than operational necessity, can create systemic vulnerabilities. As George Foley, Security Spokesperson for ESET Ireland, noted: "Most people hear 'bank data breach' and picture a technical break-in. In reality, a lot of these incidents are closer to someone getting hold of the right keys. If an attacker gets a legitimate login, they often don't need to 'hack' anything. They just log in."

Key Figures and Entities

While the identity of the attackers remains unknown, investigators have confirmed that credentials stolen from a government official provided initial access to the system. The breach has drawn responses from cybersecurity experts across the industry, including Michael Jepson, Penetration Testing Manager at CybaVerse, who emphasized that "if individual members of an organisation can access large volumes of sensitive data unilaterally, this creates a structural weakness where a single set of compromised credentials can lead to widespread data exposure."

James Neilson, SVP of Global at OPSWAT, warned that "the exposure of 1.2 million bank accounts is significant, and the main concern now will be stolen data being used to conduct identity fraud and phishing attacks. For example, tax identifiers could be used to mimic official tax agencies or to file fraudulent tax returns."

Legal and Financial Mechanisms

The attack exploited a fundamental flaw in access control systems—excessive privileges granted to individual user accounts without additional safeguards. According to security experts, the attackers likely moved laterally through the system once inside, exploiting the broad access rights associated with the compromised credentials to extract substantial amounts of data without triggering immediate security alerts.

The stolen information—names, addresses, account numbers, and tax identifiers—provides criminals with sufficient detail to execute convincing impersonation scams. Foley noted that "even where money can't be moved directly, the details are still valuable. They help criminals sound convincing. That's when you get the 'we need to verify you' calls, the fake security emails, and the pressure to act fast."

International Implications and Policy Response

The breach underscores growing concerns about government data protection practices across Europe, particularly as nations increasingly centralize sensitive information to combat financial crime. Security advocates are calling for widespread adoption of zero-trust architecture, which would require continuous verification of all users and devices attempting to access network resources, regardless of their location.

Experts recommend implementing automated monitoring systems capable of detecting anomalous behavior patterns, such as bulk data access or unusual export activities, even from authenticated users. "Organisations in both the public and private sectors should adopt zero trust principles, ensuring that access requests are not trusted solely on the basis of valid credentials," Jepson advised. "Individuals should only have access to the data necessary for their specific role and daily operations."

Sources

This report draws on statements from cybersecurity professionals at CybaVerse, ESET Ireland, and OPSWAT, as well as official announcements from the French government regarding the FICOBA database breach disclosed in February 2026.