France’s National Bank Account Registry Breached: 1.2 Million Records Exposed in Civil Servant Impersonation Attack

Aegiron 12 mins0

FICOBA Registry Breach – 20 February 2026

Target: French National Bank Accounts File (FICOBA)
Authority Involved: French Ministry of Economy
Estimated Impact: ~1.2 million bank account records potentially exposed

What FICOBA Is and Why It Is Sensitive

FICOBA (Fichier des Comptes Bancaires) is France’s centralized national registry of bank accounts. It does not contain account balances or transaction history, but it links individuals and companies to their bank accounts across the country.

The registry typically includes:

  • Full name of account holder
  • Date and place of birth
  • Address
  • Bank name and branch
  • IBAN or account number
  • Account type (individual, joint, corporate)
  • Date of account opening and closure

It is accessible only to authorized entities such as tax authorities, customs officials, financial investigators, and judicial authorities. Because it maps people directly to their financial footprint, it is extremely valuable for fraud networks, organized crime, and state-level intelligence actors.

What Happened

On 20 February 2026, the French Ministry of Economy disclosed that an attacker gained unauthorized access to the FICOBA registry by impersonating a civil servant. The breach potentially exposed data linked to approximately 1.2 million accounts.

There was no reported service outage, no ransomware deployment, and no system destruction. The attack was focused on data access and extraction.

The intrusion appears to have involved valid credentials being used in an unauthorized way. This makes it an identity-based breach rather than a traditional network compromise.

How It Likely Happened

The attacker reportedly posed as a legitimate civil servant. This strongly suggests credential compromise rather than exploitation of a software vulnerability.

Possible initial access methods include:

  • Spear-phishing email with credential harvesting
  • Adversary-in-the-middle phishing to bypass MFA
  • MFA fatigue attack (push bombing)
  • Helpdesk social engineering for password reset
  • Compromised government workstation
  • Credential reuse from previously leaked databases
  • SIM swapping to intercept OTP codes
  • Session hijacking via stolen authentication tokens
  • OAuth token abuse
  • Man-in-the-browser attack

Once valid credentials were obtained, the attacker likely logged in through official channels, making the activity appear legitimate at first glance.

Was a Vulnerability Exploited?

There is no indication of:

  • SQL injection
  • Remote code execution
  • Web application exploitation
  • Zero-day vulnerability
  • Privilege escalation exploit

The breach appears to stem from weak identity validation controls or insufficient anomaly detection around legitimate user behavior.

This type of breach often occurs when:

  • MFA is not phishing-resistant
  • User roles are overprivileged
  • Access monitoring is focused on failures rather than unusual successes

What Was Impacted

The exposed information likely includes:

  • Personal identification details
  • Banking institution identifiers
  • IBAN/account numbers
  • Account creation and closure metadata
  • Legal entity associations
  • Multi-account relationships

Not impacted:

  • Account balances
  • Transaction histories
  • Online banking credentials
  • PIN numbers

However, even without balances, this data is powerful. It allows attackers to:

  • Build financial identity maps
  • Craft highly targeted phishing campaigns
  • Conduct banking impersonation scams
  • Prepare account takeover attempts
  • Conduct synthetic identity fraud
  • Perform money mule recruitment targeting

Technical Attack Flow

The attacker likely conducted reconnaissance to identify a suitable civil servant with FICOBA access.

After credential compromise, they authenticated through the official portal. If MFA was present, it was likely bypassed using phishing proxies or social engineering.

Once authenticated:

  • They executed structured queries
  • Performed high-volume lookups
  • Possibly used automated scripts or API abuse
  • Conducted bulk exports
  • Exfiltrated data over encrypted HTTPS

Because access credentials were valid, many security systems would have seen the activity as normal.

Expanded Indicators of Compromise (IOCs)

Authentication Indicators

  • Successful login from IP ranges belonging to cloud/VPS providers
  • Login from residential proxy services
  • Login from ASN not previously associated with government devices
  • Impossible travel patterns
  • Logins outside standard working hours
  • Login attempts preceded by multiple MFA push requests
  • MFA device re-enrollment events
  • Password reset immediately followed by large query activity
  • First-time browser fingerprint
  • Change in user-agent string
  • Access via TOR exit nodes
  • Login from newly registered device ID
  • Access from foreign geolocation inconsistent with role
  • Authentication via legacy protocol fallback
  • Multiple failed login attempts followed by successful login

Application-Level Indicators

  • Sudden spike in query volume
  • Bulk search across unrelated regions
  • High-frequency sequential IBAN lookups
  • Enumeration of account IDs in ascending/descending order
  • Querying multiple high-profile individuals
  • Repeated export function usage
  • Use of rarely used administrative endpoints
  • Query results exceeding normal case investigation volume
  • API token usage from new IP address
  • Large JSON/XML response payload downloads
  • Access to dormant accounts not tied to active investigations
  • Execution of wildcard searches
  • Abnormal use of search filters

Network Indicators

  • Large outbound HTTPS transfers
  • Sustained outbound traffic sessions
  • Data uploads to anonymous file-sharing platforms
  • Encrypted outbound traffic to unknown domains
  • DNS requests to newly registered domains
  • Beaconing patterns before login
  • High data transfer with low user interaction
  • TLS connections with uncommon JA3 fingerprints
  • Connections to bulletproof hosting providers
  • Traffic to IP ranges known for residential proxy services

Endpoint Indicators (If Phishing or Malware Involved)

  • Suspicious browser extensions installed
  • Unknown remote access tools
  • Unexpected PowerShell execution
  • Creation of new scheduled tasks
  • Credential dumping artifacts
  • Browser credential database access
  • Presence of reverse proxy phishing kit artifacts
  • Suspicious DLL injection events
  • Clipboard monitoring processes
  • LSASS access attempts
  • Abnormal token manipulation events
  • Unauthorized registry modifications

Why This Attack Was Difficult to Detect

No malware may have been deployed.
No ransomware encrypted files.
No destructive activity occurred.

This was likely an abuse of legitimate access.

Traditional security systems focus on:

  • Exploits
  • Malware signatures
  • Network intrusion

This incident required:

  • Behavioral analytics
  • Identity anomaly detection
  • Query pattern monitoring

Without those controls, the attacker blends in.

Detection and Threat Hunting Guidance

Identity Monitoring

Alert on:

  • Login from first-time IP
  • Login from hosting providers
  • MFA reset events
  • Account access outside working hours
  • Simultaneous sessions from different geolocations

Implement impossible travel detection and device fingerprint tracking.

Query Behavior Monitoring

Establish baseline metrics per user:

  • Average daily query count
  • Typical geographic focus
  • Normal record retrieval volume

Trigger alerts when:

  • Queries exceed baseline threshold
  • Exports exceed standard case limits
  • Access scope expands beyond assigned region
  • Sequential enumeration patterns appear

Data Exfiltration Monitoring

Alert on:

  • Outbound traffic exceeding baseline
  • Uploads to unknown domains
  • Compressed file creation immediately after query spike
  • Use of command-line archive tools
  • Large HTTPS POST requests

Detection Logic

Alert if:

  • User performs >X queries within Y minutes
  • Export size > predefined MB threshold
  • Login IP ASN != historical ASN for that user
  • MFA reset + high data access within 24 hours
  • First-time device + high data volume

Threat Hunting Questions

  • Which users accessed the largest number of records during the exposure window?
  • Were those queries aligned with active legal investigations?
  • Did any user access unrelated geographic clusters?
  • Were any credentials recently reset?
  • Did any login originate from infrastructure providers?
  • Was there evidence of residential proxy usage?

Root Causes

The breach highlights weaknesses in:

  • Identity verification procedures
  • Overprivileged user roles
  • Lack of fine-grained query monitoring
  • Insufficient anomaly detection
  • Inadequate MFA hardening

Strategic Security Improvements

  • Enforce phishing-resistant MFA (FIDO2 or hardware keys)
  • Implement zero-trust identity validation
  • Restrict bulk export functionality
  • Add query throttling
  • Deploy user behavior analytics
  • Enforce strict least-privilege roles
  • Require step-up authentication for mass queries
  • Log and watermark large exports
  • Conduct continuous access reviews
  • Introduce session recording for high-sensitivity systems

Overall Assessment

This breach was not about breaking the system. It was about impersonating someone who already had access.

It demonstrates that modern high-impact breaches often:

  • Exploit trust rather than software
  • Abuse valid credentials rather than vulnerabilities
  • Exfiltrate quietly rather than destroy

The FICOBA incident is a clear example of identity-driven compromise in a high-value government data environment.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.