A single compromised account gave hackers access to 1.2 million French banking records

Credentials stolen from a single government official enabled threat actors to access a French national database containing data on more than 1.2 million bank accounts.

The attackers were able to access the Fichier des comptes bancaires (Ficoba) database, which contains files on all bank accounts opened in France.

Stolen credentials were used by the threat actors to impersonate a civil servant and view data that included personal information such as bank account numbers, account holders' names and addresses, IBANs, and, in some cases, the account owner's tax number.

"Starting at the end of January 2026, a malicious actor, who had impersonated a civil servant with access rights as part of an inter-ministerial information exchange, was able to consult a portion of this file," Ficoba said in a statement.

"As soon as this incident was detected, immediate access restrictions were implemented to stop the attack, limit the scope of the data accessed and extracted from this database – which reportedly includes 1.2 million accounts – and prevent any further unauthorized access."

Ficoba said IT teams at the French Public Finances Directorate, along with other bodies, were working to address this incident and strengthen security. The incident has also been reported to the French Data Protection Authority (CNIL), it said.

The chief of France's Public Finances told Agence France-Presse that affected individuals will be contacted over the next few days. Officials insisted the breach did not give attackers access to account balances or transactions.

FICOBA breach prompts phishing frenzy

Security researchers at Cybernews said that this may not be the full story. While account balances can’t be accessed from this data alone, this incident “still poses risks” to users across the country.

“Exposed PII, such as names and addresses, can be combined with other leaked data to profile people and construct convincing phishing campaigns that can pose as the national bank.”

When combined with tax identification numbers, researchers said this increases the risk of fraud and identity theft, as these numbers can be used as identifiers on government platforms.

Ficoba has warned that "numerous" scams are circulating via email or SMS, aiming to obtain information or payments from users.

Individuals contacted have been urged not to reply directly, and should instead contact their local tax office directly through the secure messaging system in their online account or by phone to check out the authenticity of the message.

Meanwhile, Michael Jepson, penetration testing manager at CybaVerse, said it's worrying that a single individual within the organization was able to access large volumes of sensitive data unilaterally.

"Traditionally, access scope often increased with seniority, an approach that is now widely recognized as problematic in modern threat environments," he said.

"Modern security practice recognizes that access should be determined strictly by operational need rather than hierarchy. Senior figures are frequently primary targets for threat actors, which makes excessive privilege particularly dangerous."

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.