France's tax authority (DGFiP) confirmed on February 18, 2026 that an attacker spent 16 days inside FICOBA, the national registry of every bank account opened in France, using a single stolen civil servant's credentials. No MFA. No anomaly detection that triggered in time. The result: 1.2 million records containing IBANs, full legal identities, home addresses, and dates of birth now in criminal hands. This is a separate incident from the 45 million record cloud exposure reported the same week. France is having a very bad year.

What Happened

Between January 28 and February 13, 2026, an unauthorized actor maintained persistent access to FICOBA, France's Fichier des Comptes Bancaires et Assimilés, the national database containing records for approximately 300 million bank accounts across every French financial institution. The attacker accessed the system using stolen credentials belonging to a civil servant with legitimate inter-ministerial data exchange access.

DGFiP disclosed the breach publicly on February 18; five days after the intrusion was contained. French banking authorities, including the Banque de France and the French Banking Federation, moved quickly to issue reassurance statements emphasizing that account balances and transaction histories were not exposed. That framing, however accurate, understates the fraud utility of what was taken.

The breach was undetected for the full 16-day duration. No security control triggered. The compromised account had no multi-factor authentication.

What Was Taken

1.2 million FICOBA records were accessed and exfiltrated. Each record contains:

• IBAN and full bank account details (RIB): sufficient to initiate SEPA direct debits
• Full legal name: first, middle, last
• Postal address: current residential address
• Date and place of birth: standard identity verification anchor
• Tax identification number: present on a significant subset of records

What was not taken: account balances, transaction history, or login credentials to banking portals. That is the ceiling of the good news.

The 1.2 million exposed accounts represent a slice of FICOBA's full 300 million entry dataset. The attacker had 16 days of access to a database with no per-record access logging that triggered alerts. The actual enumeration scope may be understated.

Why It Matters

An IBAN is not inert data. The SFAM fraud case (in which a single company used harvested IBANs to execute unauthorized SEPA direct debits against 743,000 victims) is the operational proof of concept. The FICOBA breach hands criminals a pre-validated dataset: real IBANs matched to confirmed legal identities and current addresses, sourced directly from the government registry. That combination is the full fraud toolkit.

Two attack paths are now open at scale:

SEPA direct debit fraud. Under SEPA rules, any entity with your IBAN and identity details can initiate a direct debit mandate. Banks are supposed to verify mandates, but the burden of reversal falls on the victim after the fact. Industrial-scale unauthorized debits are viable with this dataset.

Targeted social engineering. An attacker who knows your name, address, date of birth, and bank can impersonate your bank, the DGFiP, or any financial institution with precision. The data is rich enough to defeat standard identity verification questions. Vishing campaigns built on FICOBA records will be difficult to distinguish from legitimate contact.

France's pattern here is also strategically significant: France Travail (43M), Free telecom (19M), Viamedis health insurer (33M), national health data (15M), and now FICOBA. Each breach feeds the next. Criminals cross-referencing these datasets now have comprehensive financial, health, employment, and identity profiles on tens of millions of French citizens.

The Attack Technique

Credential theft leading to privileged access abuse. The attacker obtained the login credentials of a civil servant with authorized FICOBA access; almost certainly through targeted phishing or malware deployment. The compromised account had no multi-factor authentication configured.

This is a pure identity-based attack. No software vulnerability was exploited. No zero-day. No lateral movement through hardened infrastructure. A single username and password was the entire attack surface, and it was sufficient to access one of the most sensitive financial databases in Europe for over two weeks.

Benoît Grunemwald of ESET France described it as "an organizational failure, not a technical vulnerability." The Solidaires Finances Publiques union characterized the absence of MFA on an account with this access level as "almost surreal negligence." Both assessments are accurate.

The 16-day dwell time before detection indicates no behavioral analytics or access anomaly detection was monitoring FICOBA query patterns for the compromised account.

What Organizations Should Do

This breach is a government failure, but the defensive lessons apply universally to any organization managing sensitive registries or privileged data access:

1. MFA is non-negotiable on privileged accounts; no exceptions. Any account with access to sensitive data at scale must require a second factor. This breach would not have happened with TOTP or hardware key enforcement. Audit your privileged account MFA coverage now.

2. Implement behavioral analytics on high-value data access. Sixteen days of anomalous queries against a sensitive registry should generate alerts. Deploy UEBA (User and Entity Behavior Analytics) on data stores that matter; flag volume anomalies, off-hours access, and access from new source IPs.

3. Apply least privilege strictly to inter-system access accounts. Civil servants with data exchange permissions should have scoped, time-limited, query-limited access; not broad read access to the full registry. Audit service accounts and inter-agency access grants.

4. For French organizations and affected individuals: Instruct employees and customers to monitor bank statements for unauthorized SEPA mandates. Enable SEPA mandate whitelisting with your bank where available. Be alert to unusually well-informed social engineering; callers who know your IBAN and address are not necessarily legitimate.

5. Accelerate data minimization on inter-agency exchanges. The attack was enabled by an account with access to FICOBA for inter-ministerial data sharing. Data exchange architectures should expose the minimum necessary fields, not full record access, to consuming systems.

6. Assume cross-dataset correlation by adversaries. For organizations operating in France: treat the combination of FICOBA + France Travail + Viamedis + Free breach data as a unified adversary dataset. Your users' identities are comprehensively profiled. Adjust authentication, fraud detection, and customer contact verification accordingly.

Sources

• Fibo Crypto; France Bank Account Database (FICOBA) Breached: 1.2M Exposed