1.2 Million Accounts Exposed in French Bank Registry Breach

An incident disclosed by the French Ministry of Finance involved unauthorized access to the national bank account registry and may have exposed data tied to approximately 1.2 million accounts. 

This case highlights the continued effectiveness of credential theft as an attack vector.

The attacker “… was able to consult part of this file which lists all bank accounts opened in French banking establishments and contains personal data: bank details (RIB / IBAN), identity of the holder, address and, in some cases, the tax identifier of the user,” said the Directorate General of Public Finances in their press release.

Inside the FICOBA Security Incident

The incident centers on FICOBA, France’s centralized registry of bank accounts, which is used by government authorities to identify where bank accounts exist and who owns them across French financial institutions. 

The registry does not store transaction histories or balances, but it does contain sensitive identifiers that link individuals to specific financial accounts. 

FICOBA is operated by France’s tax authority and is populated with data submitted by banks in accordance with national tax enforcement and financial transparency requirements.

According to the Ministry, the intrusion occurred in late January 2026 when a threat actor used credentials stolen from a civil servant who had authorized access to an information-sharing platform. 

Those credentials provided access to a portion of the FICOBA database, allowing the attacker to view sensitive account metadata rather than transactional data. 

The compromised information may include bank account identifiers such as RIBs and IBANs, account holder names, physical addresses, and, in some cases, taxpayer identification numbers.

The incident did not involve exploitation of a software flaw; instead, the attacker abused legitimate access using stolen credentials, allowing them to bypass traditional perimeter-based security controls. 

Although authorities moved quickly to restrict access once the intrusion was detected, officials believe that data associated with approximately 1.2 million accounts had already been exposed to potential exfiltration. 

As a precautionary measure, the registry was taken offline, disrupting normal operations, and no public timeline has been provided for its full restoration.

France’s data protection authority has been formally notified of the incident, as required under national and European data protection regulations, and is expected to assess the scope of the exposure and determine whether additional action or guidance is warranted. 

In parallel, the tax authority’s IT teams are working with the Ministry of Finance and the national cybersecurity agency to strengthen access controls, improve credential security, and restore the registry to full operational status with enhanced protections in place.

Reducing the Impact of Credential Compromise

The misuse of valid credentials continues to be a common factor in security incidents, allowing attackers to operate without exploiting specific technical vulnerabilities. 

In these cases, limiting access, identifying abnormal behavior, and reducing potential exposure become key defensive priorities.

• Enforce phishing-resistant multi-factor authentication and just-in-time access for privileged users to reduce the impact of credential theft.
• Apply strict least-privilege access controls and privilege tiering to limit how much sensitive data any single account can reach.
• Implement behavioral monitoring and anomaly detection to identify misuse of valid credentials, such as unusual access patterns or bulk data queries.
• Restrict bulk data access through query throttling, segmentation, and data-level controls to reduce the blast radius of compromised accounts.
• Maintain immutable, tamper-resistant audit logs and centralized visibility to support rapid investigation and regulatory response.
• Proactively communicate with users and customers about breach-related scam tactics to reduce the effectiveness of phishing and social engineering.
• Regularly test and refine incident response plans using credential-compromise scenarios to ensure rapid containment and coordinated recovery.

Together, these measures help organizations limit the blast radius of credential-based incidents while building the operational resilience needed to detect misuse quickly, contain exposure, and recover with minimal disruption. 

Identity Risk in Centralized Data Environments

The FICOBA incident illustrates how the misuse of valid credentials remains a meaningful risk for organizations that manage centralized, high-value data, even when no technical vulnerabilities are exploited. 

In this context, effective access controls, monitoring for abnormal activity, and preparedness for rapid containment play an important role in limiting broader impact. 

As organizations look to address these identity-driven risks more systematically, zero-trust solutions offer a framework for continuously verifying access, limiting implicit trust, and reducing the impact of compromised credentials.