Executive Summary

On February 18, 2026, the French Ministry of Economy publicly disclosed a significant data breach affecting approximately 1.2 million bank accounts in France. The breach was enabled by the compromise of an official’s credentials, which allowed a malicious actor to access the FICOBA national bank account database. The exposed data includes bank account numbers, account holder names, addresses, and, in some cases, tax identification numbers. No access to account balances or the ability to conduct transactions was possible. Immediate containment actions were taken, including revoking the compromised credentials, blocking unauthorized access, and notifying the French data protection authority (CNIL). Authorities have warned of increased risks of identity theft, phishing, and financial scams targeting affected individuals. The incident underscores the critical importance of credential security and rapid incident response in the financial sector. All information in this summary is based on official statements and corroborated by multiple reputable sources, including Security Affairs, Le Monde, and Anadolu Agency.

Technical Information

The breach of the FICOBA (Fichier des comptes bancaires) national bank account database was executed through the use of stolen credentials belonging to a government official. The FICOBA database, maintained by the French Public Finances Directorate (DGFIP), contains records of all bank accounts opened in French banking institutions. The attacker’s access began at the end of January 2026 and was detected and contained by mid-February 2026.

Attack Vector Analysis

The initial access vector was the use of valid, but stolen, credentials. This aligns with the MITRE ATT&CK technique Valid Accounts (T1078), where attackers leverage legitimate credentials to gain unauthorized access to systems (https://attack.mitre.org/techniques/T1078/). The method by which the credentials were obtained has not been disclosed; common vectors for such theft include phishing (T1566.001, https://attack.mitre.org/techniques/T1566/001/) or credential dumping from password stores (T1555, https://attack.mitre.org/techniques/T1555/). However, there is no direct evidence in the public disclosures to confirm the specific method used.

Once inside the system, the attacker was able to consult portions of the FICOBA file, which included sensitive personal and financial data. This activity is mapped to Data from Information Repositories (T1213), where attackers access and collect data from centralized databases (https://attack.mitre.org/techniques/T1213/).

No evidence has been presented indicating that the attacker escalated privileges or moved laterally within the network. The access appears to have been limited to the permissions associated with the compromised official’s account.

Data Compromised

The attacker accessed the following types of data: bank account numbers, account holder names, addresses, and, in some cases, tax identification numbers. There is no evidence that account balances or transaction capabilities were exposed or compromised. The French Ministry of Economy and the Public Finances Directorate have confirmed that the breach did not allow for the viewing of balances or the execution of financial operations.

Exfiltration and Containment

Authorities have stated that immediate measures were taken to block the attacker and prevent the removal of information. While the attacker was able to consult sensitive data, there is no confirmed evidence of data exfiltration. The rapid response included revoking the compromised credentials, blocking further access, and notifying both the CNIL and law enforcement. A criminal complaint was filed, and affected individuals are being notified directly.

Attribution and Threat Actor Profile

The French Ministry of Economy has not attributed the attack to any specific threat actor or group. It remains unclear whether the attacker is a nation-state actor or a financially motivated cybercriminal. The use of credential theft is a common tactic among both categories of threat actors. Without technical artifacts such as malware samples, command-and-control infrastructure, or unique tactics, techniques, and procedures (TTPs), attribution remains speculative and is assessed with low confidence.

Sector-Specific Implications

The breach directly impacts the French financial sector, specifically the integrity and confidentiality of the FICOBA registry. This registry is a critical component of the national financial infrastructure, used by authorities to track all bank accounts in the country. The exposure of personal and financial data increases the risk of downstream attacks, including identity theft, targeted phishing campaigns, and financial fraud. Authorities have warned that fraudsters may attempt to pose as bank representatives to exploit the situation.

Technical Evidence Assessment

All major claims in this report are corroborated by at least three independent, reputable sources: Security Affairs (https://securityaffairs.com/188200/hacking/french-ministry-confirms-data-access-to-1-2-million-bank-accounts.html), Le Monde (https://www.lemonde.fr/en/economy/article/2026/02/18/hacker-accessed-data-from-1-2-million-bank-accounts-french-economy-ministry-says_6750628_19.html), and Anadolu Agency (https://www.aa.com.tr/en/europe/france-reports-data-breach-affecting-12-million-bank-accounts/3834116). No technical artifacts (such as malware or forensic logs) have been released. The evidence for the attack vector and data accessed is considered high confidence, while attribution remains low confidence due to lack of technical indicators.

Affected Versions & Timeline

The breach affected the FICOBA national bank account database, which contains records of all bank accounts in French banking institutions. The incident timeline is as follows: At the end of January 2026, unauthorized access to the FICOBA database began using stolen official credentials. The breach was detected and contained by mid-February 2026. On February 18, 2026, the French Ministry of Economy publicly disclosed the breach, confirming that 1.2 million accounts were affected. Immediate response actions included revoking the compromised credentials, blocking unauthorized access, notifying the CNIL, and filing a criminal complaint. Affected individuals and banks were informed and instructed to alert their clients.

Threat Activity

The threat activity in this incident centers on the use of stolen credentials to access a sensitive government database. The attacker’s actions were limited to consulting data within the FICOBA system, with no evidence of privilege escalation, lateral movement, or deployment of malware. The primary risk resulting from this activity is the exposure of sensitive personal and financial data, which can be leveraged for identity theft, phishing, and financial scams. Authorities have specifically warned that fraudsters may attempt to exploit the situation by posing as bank representatives. The lack of evidence regarding data exfiltration does not eliminate the risk, as the attacker’s ability to consult the data could still facilitate downstream attacks. The incident highlights the persistent threat posed by credential-based attacks in the financial sector and the need for robust access controls and monitoring.

Mitigation & Workarounds

The following mitigation actions and workarounds are recommended, prioritized by severity:

Critical: Immediate review and revocation of any compromised or unused credentials with access to sensitive databases such as FICOBA. Implement multi-factor authentication (MFA) for all privileged and sensitive accounts to reduce the risk of credential abuse. Conduct a comprehensive audit of access logs to identify any unauthorized activity and ensure that all access is legitimate.

High: Notify all affected individuals and financial institutions promptly, providing clear guidance on recognizing and reporting phishing attempts, identity theft, and financial scams. Enhance monitoring for suspicious activity targeting affected individuals, including unusual account access or attempts to open new accounts using stolen information.

Medium: Review and update incident response plans to ensure rapid detection and containment of credential-based breaches. Provide targeted security awareness training to all personnel with access to sensitive databases, emphasizing the risks of phishing and credential theft.

Low: Regularly review and update access permissions to ensure the principle of least privilege is enforced. Consider periodic penetration testing and red teaming exercises to identify potential weaknesses in access controls and credential management.

These recommendations are based on the technical details of the incident and the specific risks identified by French authorities and independent security analysis.

References

Security Affairs: https://securityaffairs.com/188200/hacking/french-ministry-confirms-data-access-to-1-2-million-bank-accounts.html

Le Monde: https://www.lemonde.fr/en/economy/article/2026/02/18/hacker-accessed-data-from-1-2-million-bank-accounts-french-economy-ministry-says_6750628_19.html

Anadolu Agency: https://www.aa.com.tr/en/europe/france-reports-data-breach-affecting-12-million-bank-accounts/3834116

MITRE ATT&CK T1078: https://attack.mitre.org/techniques/T1078/

MITRE ATT&CK T1213: https://attack.mitre.org/techniques/T1213/

MITRE ATT&CK T1566.001: https://attack.mitre.org/techniques/T1566/001/

MITRE ATT&CK T1555: https://attack.mitre.org/techniques/T1555/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and partners. Our platform enables continuous monitoring of credential exposure, access control weaknesses, and compliance with regulatory requirements. We support organizations in implementing robust access management, incident response, and data protection strategies to reduce the risk of credential-based breaches. For questions or further information, please contact us at ops@rescana.com.