Directorate General of Public Finances (Direction générale des Finances publiques – DGFiP), the French national authority responsible for managing public revenue, expenditure, and property, disclosed unauthorized access to France’s national bank account registry, exposing data tied to roughly 1.2 mn accounts. The breach did not rely on malware or a zero-day exploit. It relied on stolen credentials.
Attackers used government login details taken from a civil servant with approved access to an information-sharing platform.
With those credentials, the intruder accessed part of the FICOBA database in late January 2026. Authorities believe the actor viewed sensitive account metadata and may have exfiltrated it before detection.
FICOBA functions as France’s centralized registry of bank accounts. It allows state authorities to identify where accounts exist and who holds them across French financial institutions.
The system does not store balances or transaction histories, though it links individuals to specific financial accounts through identifiers banks submit under tax enforcement and transparency rules.
The attacker accessed records containing RIB and IBAN details, account holder names, physical addresses and, in certain cases, taxpayer identification numbers.
These data points enable account mapping and targeted fraud. They don’t enable direct fund transfers on their own, yet they lower the barrier for social engineering and payment diversion schemes.
Officials shut the registry offline as a precaution, disrupting normal operations. No public timeline outlines full restoration. France’s data protection regulator received formal notification under national and EU data protection law and will assess scope, exposure and compliance response.
The breach underscores a stubborn reality in cybersecurity. Credential theft still works.
Perimeter defenses, network segmentation, endpoint controls – none of it matters if valid credentials open the door. This incident involved no software flaw. The attacker logged in.
IT teams at the tax authority now work with the Ministry of Finance and the national cybersecurity agency to tighten access governance.
They plan to strengthen authentication controls and harden credential management practices before restoring full operations.
According to Beinsure analysts, registries holding aggregated financial identifiers represent high-value targets because they compress exposure into a single control plane.
When authentication fails, blast radius expands fast. Here, 1.2 mn accounts. One set of credentials.
