Full Report
French authorities on Wednesday announced a “malicious actor” had illegally accessed a portion of the country’s National Bank Accounts File (FICOBA) recording all bank accounts in the country. The sensitive government database holds data on more than 80 million individuals, according to the CNIL, France’s data protection authority. In an email to Recorded Future News, a spokesperson…
Analysis Summary
# Incident Report: Unauthorized Access to FICOBA National Database
## Executive Summary
In February 2026, French authorities identified a data breach involving the National Bank Accounts File (FICOBA), a sensitive government database managed by the Directorate General of Public Finances (DGFiP). A malicious actor utilized stolen or impersonated credentials of a civil servant to illegally query the system. The breach impacted approximately 1.2 million bank accounts, compromising data within a system that monitors over 80 million individuals across France.
## Incident Details
- **Discovery Date:** Announced February 18, 2026 (Wednesday)
- **Incident Date:** Occurred leading up to/on February 18, 2026
- **Affected Organization:** Directorate General of Public Finances (DGFiP)
- **Sector:** Government / Financial
- **Geography:** France
## Timeline of Events
### Initial Access
- **Date/Time:** Exact time undisclosed; reported February 2026.
- **Vector:** Credential Theft / Identity Impersonation.
- **Details:** The attacker impersonated a civil servant using valid credentials obtained through unknown means.
### Lateral Movement
- **Details:** The attacker leveraged "interministerial information exchanges," a protocol designed to allow different government branches to share data, to pivot from the initial compromised account to the FICOBA database.
### Data Exfiltration/Impact
- **Details:** The actor performed unauthorized queries on the FICOBA database. While the database contains records for 80 million people, approximately 1.2 million accounts (out of 300 million total recorded in the file) were specifically accessed.
### Detection & Response
- **How it was discovered:** Public announcement suggests detection via internal monitoring of database queries or authentication anomalies.
- **Response actions taken:** DGFiP identified the compromised credentials and notified the CNIL (Data Protection Authority). French authorities have launched an investigation into the "malicious actor."
## Attack Methodology
- **Initial Access:** Valid accounts (Impersonation of a civil servant).
- **Persistence:** Not specified; likely session-based via hijacked credentials.
- **Privilege Escalation:** Use of interministerial exchange privileges to access restricted secondary databases.
- **Defense Evasion:** Use of legitimate credentials to blend in with authorized traffic.
- **Credential Access:** Stolen or phished credentials of a government employee.
- **Discovery:** Querying the FICOBA database to identify account holders.
- **Collection:** Automated or manual querying of sensitive financial records.
- **Exfiltration:** Illegal access/viewing of a portion of the National Bank Accounts File.
- **Impact:** Unauthorized disclosure of sensitive financial metadata.
## Impact Assessment
- **Financial:** No direct theft of funds reported; however, the exposure of bank account locations and ownership creates high risk for targeted fraud.
- **Data Breach:** Compromise of records belonging to approximately 1.2 million individuals.
- **Operational:** Investigation into interministerial data-sharing protocols.
- **Reputational:** High public impact due to the sensitivity of the FICOBA database and the scale of the French population monitored by the system.
## Indicators of Compromise
- **Behavioral indicators:** Unusual query volume from a single civil servant account; access to the FICOBA database at atypical hours or from unusual locations; queries outside the scope of the assigned user/department duties.
## Response Actions
- **Containment measures:** Revocation of the compromised civil servant’s credentials.
- **Eradication steps:** Disabling the specific interministerial exchange path used for the unauthorized queries.
- **Recovery actions:** Notification of the CNIL and audit of the 1.2 million impacted accounts.
## Lessons Learned
- **Key takeaways:** Trust in interministerial information exchanges can be exploited if individual user credentials are not protected by robust multi-factor authentication (MFA).
- **What could have been done better:** Implementation of "Zero Trust" architecture could have limited the ability of a single user to query over a million records without additional verification or "need-to-know" justification.
## Recommendations
- **MFA Enforcement:** Ensure all civil servant accounts, especially those with interministerial access, require hardware-based MFA.
- **Anatomy of Queries:** Implement rate-limiting and anomaly detection on database queries to flag accounts performing bulk searches.
- **Least Privilege:** Restrict the "interministerial exchange" permissions so that users can only query specific data relevant to their active tasks rather than broad access to 300 million records.