A security breach at France’s national bank registry has compromised the personal information of 1.2 million people, after a threat actor downloaded a database containing the information of all bank accounts in the country.
The French revenue service, the Direction Générale des Finances Publiques (DGFiP), maintains the compromised database. All financial institutions across the country are required to submit their customers’ banking and personal information to comply with France’s tax laws.
The data breach occurred from late January and leveraged compromised credentials to access a government information-sharing platform.
Security breach compromises 1.2 million French bank accounts
According to the French Ministry of Finance, attackers breached the national bank account registry (FICOBA) using a compromised civil servant’s credentials. The breached database contains 300 million bank accounts belonging to 80 million individuals. The compromised civil servant had access to an interministerial information-sharing system, underscoring the importance of zero-trust to secure national IT infrastructure.
“When a single official’s credentials can unlock a national registry containing extensive financial and personal information, it highlights the urgent need for stronger authentication, continuous monitoring, and tighter access governance,” said Steve Cobb, Chief Information Security Officer at SecurityScorecard. “Government systems cannot afford weaknesses such as compromised credentials or unpatched environments. The government should set a higher security standard, especially with financial data that citizens trust to be safe. Once detailed banking information is exposed, the impact cannot be undone, serving as a reminder for others to strengthen their own protections.”
While details regarding the security breach are scant, it leaked the victims’ bank account information, including RIBs/IBANs, account holder information, physical addresses, and, in some cases, taxpayer identification numbers.
Some social media reports claim that victims have been targeted with fraudulent text and email messages attempting to steal more sensitive personal information or empty their bank accounts following the security breach.
“While the government’s spokesperson noted that the exposed data does not grant direct access to bank accounts, the detailed financial and personal information contained in FICOBA is precisely the type of data cybercriminals need to conduct business email compromise (BEC) attacks and highly convincing spearphishing campaigns. This can enable fraud that could be just as damaging as direct account access,” added Cobb.
Consequently, affected individuals should be on the lookout for unsolicited communications purporting to originate from their financial institutions or government agencies. They should also avoid sharing sensitive personal data over the phone, email, or social media.
Typically, reputable organizations do not request login credentials, credit card numbers, or other sensitive personal information via text or email. Subsequently, the Ministry urges impacted customers to contact the tax authority directly via phone to verify the authenticity of messages purporting to originate from the agency.
“The tax administration never asks for your login credentials or bank card number via message,” the Ministry warned.
They should also monitor their bank accounts for any suspicious activity and report any discrepancies to their financial institutions and relevant authorities.
“From a defensive standpoint, this [data breach] highlights several recurring issues,” explained Phil Wylie, Senior Consultant & Evangelist, Suzu Labs. “First, authentication alone is not authorization. Systems holding national-level sensitive records should enforce strict role segmentation and query-level monitoring rather than broad database access.”
“Second, large data stores require behavioral monitoring. A legitimate user pulling unusually large volumes of records should trigger investigation immediately,” added Wylie. “Third, credential compromise must be assumed, not treated as an edge case. Strong identity protection requires phishing-resistant MFA, session monitoring, and continuous verification instead of one-time login trust. Finally, breach impact is determined less by the initial intrusion and more by how much data a single account can access. Limiting data exposure is often more important than preventing every intrusion.”
Security breach disrupts operations at France’s national bank registry
While the security breach would have been more significant, the Ministry said it responded quickly and stopped the attack before the threat actor could compromise more bank accounts. It also reported the security breach to the French data protection authority, CNIL, and efforts to notify impacted individuals are underway.
Additionally, banking institutions affected by the security breach have also been notified and will likely notify their customers independently and apply additional mitigations to protect their customers’ bank accounts.
Meanwhile, the security breach has disrupted operations at the French national bank registry, as the affected system was taken offline to contain the threat. Currently, the Ministry is working to restore the impacted systems, but has provided no definite timeline.
Similarly, the French tax authority, the Ministry of Finance, and the National Cybersecurity Agency of France (ANSSI) are assisting the national bank registry to strengthen its cyber defenses to prevent a similar security breach in the future.
So far, no cybercrime group has taken responsibility for the data breach, no evidence suggests that the leaked information has been misused, and the Ministry has not revealed the identity of the attacker.

