FICOBA (French National Bank Account Registry)
Analysis of the FICOBA breach exposing 1.2 million French bank account records from the national registry.
Published by the Scrutex.ai Research Team | February 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
FICOBA (French National Bank Account Registry)
French national bank account registry maintained by the tax authority DGFiP (Direction Generale des Finances Publiques), linking individuals and businesses to their bank accounts.
Sector
Financial Services / Government
Region
France
Date of Incident
Late January 2026
Date Disclosed
February 18, 2026
Estimated Impact
1.2 million bank account records
Data Types Exposed
Bank account numbers, account holder names, addresses, tax identification numbers
Attack Type
Data Breach
Attack Vector
Stolen credentials of a civil servant used to query the FICOBA database
Threat Actor
Not publicly attributed
Current Status
Credentials revoked. CNIL notified. ANSSI working to restore system with enhanced security. Affected users being individually notified.
Severity Assessment
Critical. 1.2 million bank account records from a national-level financial registry exposed, enabling direct debit fraud and identity abuse.
What Happened
In late January 2026, it was reported that 1.2 million records from FICOBA, the French national bank account registry maintained by France's tax authority DGFiP, had been exposed.
The compromised data includes sensitive bank records linking individuals to their bank accounts, creating direct implications for financial fraud and tax-related identity theft.
Timeline
Late January 2026
Stolen civil servant credentials used to query FICOBA database, extracting 1.2 million records
February 18, 2026
Incident publicly disclosed
February 2026
Credentials revoked; CNIL and ANSSI engaged in response
Impact and Risk Assessment
For Affected Individuals
1.2 million bank account records were exposed, linking individuals to their bank account numbers and tax identification numbers.
The data enables direct debit fraud, as bank account numbers can be used to set up unauthorised direct debit mandates in some European payment systems.
Tax identification numbers combined with bank details create a comprehensive financial identity profile that is difficult to change.
For Organisations
French financial institutions may face increased fraud attempts using the exposed bank account and identity data.
The DGFiP faces scrutiny over access controls and credential management for systems holding national financial data.
Regulatory Context
CNIL (France's data protection authority) has been notified. ANSSI (France's national cybersecurity agency) is working to restore the system with enhanced security.
GDPR applies, with potential fines for inadequate access controls on a national financial registry.
What Should You Do?
If You Are a Potentially Affected Individual
If you hold a French bank account, monitor your account statements for unauthorised direct debit transactions.
Contact your bank to review and restrict direct debit authorisations on your account.
Be alert to phishing attempts that reference your banking or tax details.
If You Are a Security or Risk Professional
National financial registries require the highest levels of access control, including privileged access management, session monitoring, and query-level auditing.
Stolen credentials of authorised users remain one of the most effective ways to bypass perimeter security. Implement behavioural analytics to detect anomalous query patterns.
Learnings and Recommendations
National financial registry data represents some of the most sensitive information a government holds. The exposure of bank account linkages enables financial fraud at a systemic level.
Government agencies holding critical financial infrastructure data should apply the highest levels of access control and monitoring.
Sources
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.