France’s National Bank Account Database Hacked: 1.2 Million Accounts Exposed

By
Représentation de la fuite de données FICOBA - comptes bancaires exposés

📋 Key Takeaways (TL;DR)

  • FICOBA hacked: an attacker accessed France’s national bank account registry for 16 days (Jan 28 – Feb 13, 2026) using a stolen civil servant’s credentials
  • 1.2 million accounts exposed: IBAN, full identity, postal address, date of birth, sometimes tax ID
  • No two-factor authentication on the compromised account — described as “almost surreal negligence” by experts
  • Real risk: fraudulent direct debits and social engineering. SFAM proved an IBAN is enough for industrial-scale fraud (743,000 victims)
  • Alarming pattern: France Travail (43M), Free (19M), Viamedis (33M), health data (15M) — France keeps piling up mega-breaches without matching accountability

On February 18, 2026, France’s tax authority (DGFiP) announced that a “malicious actor” had accessed FICOBA — the national database containing every bank account opened in France — for 16 days. The attacker used a single stolen civil servant’s login. Result: 1.2 million accounts in the wild, with IBANs, full identities, addresses, and dates of birth.

The Banque de France promptly issued a reassurance statement. The French Banking Federation followed. The collective message was remarkably consistent: a bank account number alone can’t empty your account, monitor your statements, set up a whitelist with your bank. The kind of advice you give someone whose wallet was just stolen: “check that your card is still there.”

What FICOBA contains — and why this matters

FICOBA is not a minor file. It’s France’s national registry of all bank accounts: approximately 300 million entries. Current accounts, savings, securities, safe deposit boxes. For each entry: bank details (RIB/IBAN), full identity, postal address, date and place of birth.

It does not contain balances or transaction history. That’s the only good news. But what it does contain is exactly the toolkit needed for two types of fraud: unauthorized SEPA direct debits and targeted social engineering.

🔓 Anatomy of the FICOBA Breach

16 days of undetected access to France’s most sensitive financial database

1.2M
Accounts exposed
IBAN + identity + address
16 days
Duration of breach
Jan 28 → Feb 13, 2026
0
Authentication factors
No 2FA on the account
300M
Total FICOBA entries
Every French bank account

Sources: DGFiP, Banque de France, ANSSI — February 2026

How a single stolen password was enough

The attacker stole the credentials of a civil servant with legitimate FICOBA access through inter-ministerial data exchange. Likely via targeted phishing or malware. The damning detail: no two-factor authentication was in place on this account.

Benoît Grunemwald, an expert at ESET France, called it “an organizational failure, not a technical vulnerability.” The Solidaires Finances Publiques union went further, describing it as “an almost surreal negligence at this level of sensitivity.” The database containing every bank account in France, accessible with a simple username and password. For 16 days. Without anyone noticing.

“An IBAN alone can’t empty your account” — really?

The SFAM lesson: IBANs as industrial weapons

SFAM (later Indexia) proved over ten years that IBANs and basic identity data are enough to build an industrial-scale fraudulent direct debit operation. The numbers are staggering:

  • 743,000 refund requests left unprocessed between 2014 and 2020
  • 382,000 cancellation requests ignored
  • €22 million still owed to customers at end of 2023
  • Founder sentenced to 2 years in prison (16 months firm) in December 2024 — he appealed

The Free lesson: social engineering is the real threat

When Free leaked 19 million customer records including 5.1 million IBANs in October 2024, the main risk wasn’t crude direct debits. It was social engineering: a scammer calls, quotes your exact IBAN to “prove” they’re legitimate, then asks you to validate an operation. In January 2026 — fifteen months later — a new wave of personalized phishing emails hit Free customers. This data doesn’t expire.

France’s mega-breach track record

📊 France’s Mega Data Breaches

2024-2026: an unprecedented accumulation

43M
France Travail
Mar 2024 — Identity + social security # — Fine: €5M
33M
Viamedis / Almerys
Jan 2024 — Social security # + insurer — Under investigation
19M
Free
Oct 2024 — 5.1M IBANs + identity — Fine: €42M
15M
Cegedim Santé
Late 2025 — Sensitive medical records — Investigation opened
1.2M
FICOBA (DGFiP)
Feb 2026 — IBAN + identity + address — Complaint filed

Sources: CNIL, French press — Compiled March 2026

The accountability gap

What should truly alarm people is the distribution of consequences. Free was fined €42 million for its breach. France Travail: €5 million. The CNIL can sanction public bodies — it has proved it.

But what about the Finance Ministry? The DGFiP simply “filed a complaint” against the attacker. Not a word about the missing 2FA. No sanction. And for good reason: when the CNIL fines a public body, the money goes to the Treasury — which is the DGFiP itself. The State would be paying a fine to itself.

The crypto angle: why decentralization matters

This incident illustrates a fundamental vulnerability of centralized financial systems. A single point of failure — one stolen password — exposes 1.2 million people. One database centralizes every bank account of a 68-million-person country.

This is exactly the kind of vulnerability that decentralized systems like Bitcoin or Ethereum are designed to prevent. On a blockchain, there is no central database to hack. Security doesn’t depend on one civil servant’s vigilance — it relies on distributed mathematical cryptography.

📚 Glossary

  • FICOBA: Fichier national des Comptes Bancaires et Assimilés. France’s national database listing every bank account opened in the country (approximately 300 million entries).
  • SEPA Direct Debit: standardized direct debit system across Europe. A creditor with an ICS (SEPA Creditor Identifier) can initiate a debit knowing only the IBAN.
  • Social engineering: psychological manipulation aimed at tricking a person into revealing confidential information or performing an action (validating a transfer, sharing a code).
  • Phishing: fraud technique where attackers impersonate trusted organizations (bank, government) to steal personal information or login credentials.
  • Bitcoin: the first decentralized cryptocurrency, operating on a public blockchain with no single point of failure.
  • Ethereum: programmable blockchain enabling smart contracts and decentralized applications.
  • Blockchain: decentralized, distributed digital ledger where security relies on cryptography rather than a trusted third party.

❓ Frequently Asked Questions

What is FICOBA and what data was exposed?

FICOBA is France’s national registry of every bank account in the country. Exposed data includes IBANs, account holder identities, addresses, and dates of birth. Balances and passwords were not compromised.

Can someone empty a bank account with just an IBAN?

Not directly. But an IBAN combined with identity data enables repeated fraudulent direct debits, as demonstrated by the SFAM scandal with 743,000 victims. The main risk is social engineering: scammers using your data to build trust before asking you to validate an operation.

What’s the connection to cryptocurrency?

This breach illustrates the risk of centralized systems: a single point of failure exposes millions. Decentralized blockchains eliminate this risk by distributing data without a central database. Learn more: Blockchain explained simply

📚 Sources

This article draws from the following sources:

How to cite this article:
Fibo Crypto. (2026). France’s National Bank Account Database Hacked: 1.2 Million Accounts Exposed. Retrieved from https://fibo-crypto.fr/blog/ficoba-france-bank-account-database-breach-data-leak

Related Articles