Full Report
Emma Woollacott reports: Credentials stolen from a single government official enabled threat actors to access a French national database containing data on more than 1.2 million bank accounts. The attackers were able to access the Fichier des Comptes Bancaires et Assimilés (FICOBA) database, which contains files on all bank accounts opened in France. Stolen credentials... Source
Analysis Summary
# Incident Report: Compromise of FICOBA National Banking Database
## Executive Summary
A single government official’s stolen credentials allowed a threat actor to gain unauthorized access to the French national banking database, FICOBA. The breach resulted in the exposure of personal and financial data belonging to approximately 1.2 million bank account holders. The incident highlights the critical risk posed by privileged accounts in inter-ministerial information exchange systems.
## Incident Details
- **Discovery Date:** Late January / February 2026
- **Incident Date:** Starting end of January 2026
- **Affected Organization:** Fichier des Comptes Bancaires et Assimilés (FICOBA) / French Ministry of Economy
- **Sector:** Government / Financial
- **Geography:** France
## Timeline of Events
### Initial Access
- **Date/Time:** End of January 2026
- **Vector:** Credential Theft / Identity Impersonation
- **Details:** Threat actors obtained the valid credentials of a French civil servant. These credentials provided access rights to inter-ministerial information exchange platforms.
### Lateral Movement
- **Details:** Using the stolen identity, the attacker pivoted from general inter-ministerial access to the specific FICOBA database, leveraging the victim's existing query permissions.
### Data Exfiltration/Impact
- **Details:** The attacker "consulted" and accessed data for 1.2 million records. Stolen data points include:
- National bank account numbers.
- Full names and addresses of account holders.
- IBANs.
- Tax identification numbers (in specific cases).
### Detection & Response
- **How it was discovered:** Not explicitly disclosed; identified through FICOBA monitoring or administrative statement.
- **Response actions taken:** FICOBA issued a public statement through the Ministry of Economy; access for the compromised account was likely revoked.
## Attack Methodology
- **Initial Access:** Valid accounts / Stolen credentials of a government official.
- **Persistence:** Not disclosed (likely session-based via impersonation).
- **Privilege Escalation:** Not required; the compromised account already held "access rights" for inter-ministerial exchange.
- **Defense Evasion:** Impersonation of a legitimate user to blend in with authorized traffic.
- **Credential Access:** Stolen from a single civil servant (method of theft, e.g., phishing or infostealer, not specified).
- **Discovery:** Database querying for account holder information.
- **Lateral Movement:** Pivot from ministerial portal to FICOBA database.
- **Collection:** Manual or automated consultation of FICOBA files.
- **Exfiltration:** Unauthorized viewing/collection of 1.2 million banking records.
- **Impact:** Massive data breach of sensitive financial identifiers.
## Impact Assessment
- **Financial:** High risk of downstream fraud, BEC (Business Email Compromise), and identity theft for victims.
- **Data Breach:** Exposure of 1.2 million records containing PII and financial identifiers (IBAN/Tax ID).
- **Operational:** Potential suspension of inter-ministerial data sharing protocols during the investigation.
- **Reputational:** Significant public concern regarding the security of French national financial repositories.
## Indicators of Compromise
- **Network indicators:** N/A - The article does not list specific IPs; however, analysts should monitor for unusual geo-location logins on ministerial portals.
- **File indicators:** N/A.
- **Behavioral indicators:** Unusual volume of database queries or access to FICOBA outside of standard working hours/roles for the specific civil servant.
## Response Actions
- **Containment:** Revocation of the compromised official's access rights.
- **Eradication:** Identification of the entry point for credential theft.
- **Recovery:** Public notification and inter-ministerial security audit.
## Lessons Learned
- **Single Point of Failure:** A single official's credentials should not be capable of exposing 1.2 million records without triggering "bulk access" alerts.
- **Credentials remain the primary vector:** Government officials remain high-value targets for credential harvesting.
- **Inter-ministerial Risk:** Shared access environments expand the attack surface; a breach in one department can lead to a breach in a national database.
## Recommendations
- **Multi-Factor Authentication (MFA):** Ensure robust, phishing-resistant MFA (such as hardware keys) is mandatory for all inter-ministerial database access.
- **Least Privilege Access:** Implement stricter "Need to Know" controls to limit the number of records a single user can view in a given timeframe.
- **Behavioral Analytics:** Implement User and Entity Behavior Analytics (UEBA) to detect anomalous query volumes or unusual access patterns.
- **Data Masking:** Mask sensitive fields (like Tax IDs) unless absolutely necessary for the specific ministerial task being performed.