FICOBA: 1.2 million bank accounts exposed. So now what?
FICOBA is the national register of bank and similar accounts. Created in 1971, it lists every account opened at French banking institutions: current accounts, savings accounts, securities accounts, rented safe-deposit boxes.

The media pounced on the story with the usual mix of alarming figures and scare-you formulas. "Historic breach", "immediate risk", "your data in the hands of hackers"...
Let's breathe.
Because what happened with FICOBA deserves better than a knee-jerk reaction. It deserves a clear-eyed reading. And above all, it deserves that we ask the right questions; not the ones that generate clicks, but the ones that make you think.
What happened, clearly
FICOBA is the national register of bank and similar accounts. Created in 1971, it lists every account opened at French banking institutions: current accounts, savings accounts, securities accounts, rented safe-deposit boxes. That is 300 million accounts in total, managed by the Direction générale des Finances publiques (DGFiP).
In late January 2026, a malicious actor accessed this register. He was able to view and, in all likelihood, extract the data of 1.2 million accounts.
What he obtained: the surname, first name, address, date and place of birth of the account holder, the IBAN, and in some cases the tax identifier.
What he did not obtain: the account balances. The transactions. The ability to make a transfer.
The Fédération bancaire française confirmed it: this data alone is not enough to carry out a card payment or a transfer. That is worth spelling out, given how much the ambient panic implied that accounts were about to be emptied at any moment.
So it's not serious, then?
It is. It is serious. Very serious.
Just not exactly for the reasons you're being fed on a loop.
Let's start with what is true: with your IBAN, it is technically possible to initiate fraudulent direct debits. It is not as simple as emptying an account, but it exists, and it happens. The Fédération bancaire française acknowledges it itself: a stolen IBAN can, under certain conditions, be used to set up a fraudulent mandate. Monitor your statements. Report immediately any direct debit you do not recognize.
But the deeper threat, the one that gets talked about far less, is another one.
What has just been compromised is not only your account number. It is your digital identity in its entirety: surname, first name, postal address, date and place of birth, IBAN, and sometimes tax number. A complete package. Coherent. Verifiable.
And that, for a scammer, is gold.
With this information, he can contact you posing as your bank, as the DGFiP, as your insurer. He won't guess your data: he already knows it. His message will be precise, fluent, credible. You will get the impression that he knows you. Because in a way, he does.
That is the real danger of FICOBA. Not the phantom transfer. The surgical manipulation.
The real scandal: how it happened
Here we get to the heart of the problem.
The attacker did not "hack" FICOBA in the way we picture it, a sophisticated operation, flashing screens, a team of geniuses in a dark room. He stole the credentials of a civil servant who had legitimate access to the register as part of his duties.
In other words: someone stole a username and a password. And with that, he logged in. Quietly. Without arousing the slightest suspicion. Over several weeks. With no monitoring, no alert, without anyone raising a hand.
Nada.
Let's ask the question plainly, because it deserves to be asked: how was access to 300 million French bank accounts neither protected by strong authentication nor watched by anomaly detection systems? This is the ABC of any digital security strategy worthy of the name in any company that takes itself even remotely seriously.
So the organization supposedly managing the security of our banking details, what exactly was it waiting for?
And while we're at it: this is the very same administration we are being asked to trust more, to centralize our identity data online, to digitize our interactions with the State even further.
This is not a sophisticated technical flaw. It is a human and organizational failure, deep, avoidable. Exactly the kind of failure I talk about in Être en cybersécurité: the weak link is almost never the technology. It's the human. And it's the process.

A grim run that is no accident
This case is not isolated.
Since the start of the year, France has suffered the breach of Service-Public.fr, an attack on the OFII, a leak at a Relais Colis provider, the compromise of the Fédération française de golf, and before that, the data of France Travail, of the CNAM, of health insurers, of hospitals...
A Surfshark report had already placed France at the top of European countries for the number of compromised accounts per capita in 2025.
This is not bad luck. It is the symptom of a structural problem: French public cybersecurity is underfunded, fragmented, and treated as an administrative constraint rather than a strategic priority.
NIS2 is still awaiting full transposition. Access permissions are poorly managed. Training public agents in good practices remains anecdotal. And the culture of digital risk, the one that would keep a civil servant from getting his credentials phished, is not yet embedded in organizations.
What you can do: become politely paranoid
First thing: breathe.
Your data is probably already somewhere online. Not only because of FICOBA, because of France Travail, of the CNAM, of your health insurer, of that app you installed in 2019 and forgot about since. Leaks have been piling up for years. They cross-reference, complete and aggregate each other.
Accepting that is liberating. It doesn't mean giving up. It means stopping waiting for the problem and starting to anticipate it.
My principle, the one I repeat to every company I work with, in every training course I give and also in my book Être en cybersécurité: be politely paranoid.
Not anxious. Not paralyzed. Just methodically wary, with a smile.
In practice, what does that look like?
Any contact you did not initiate is suspect by default. A call from your bank? Hang up and call back yourself using the number on the back of your card. A text from the DGFiP with a link? Trash. An email that knows your IBAN and asks you to "confirm" anything at all? Trash, and fast. The rule is simple: if it's urgent and it comes from the outside, it's probably fake. Real emergencies, you handle them by calling the organization back yourself.
Check your FICOBA accounts. Since 2025, it's available on impots.gouv.fr, under "Autres services". In a few clicks you can see which accounts are linked to you there. Do it, not because it's urgent; but because regaining control starts with knowing where you stand.
Enable two-factor authentication everywhere. Email first. Banking and tax services next. Everything else after. It's the simplest and most effective measure there is for reducing your exposure. It costs nothing. It protects a lot.
Monitor your direct debits. A stolen IBAN can, under certain conditions, be used to set up a fraudulent mandate. Take a look at your statements regularly; not with dread, with attention. Any direct debit you do not recognize can be disputed immediately with your bank.
FICOBA is not the end of the world. But it's one more reminder that in today's digital world, the best protection is you. Not your bank. Not the State. You.
Politely paranoid. Always.

What this case reveals, at bottom
I say it often, and this incident confirms it once again: cybersecurity is not a tools problem. It's a culture problem and a human problem.
I insist on this idea: clear-headedness is worth more than fear. Understanding how attacks actually work, not the Hollywood version but the reality on the ground, is what lets you make the right decisions, individually as well as collectively.
This FICOBA breach is not an irreparable catastrophe for the people affected. But it's a strong signal we cannot go on ignoring: as long as digital security remains a subject for specialists and not a subject of governance, these incidents will keep repeating.
And next time, the exposed data may be even more sensitive.
Want to go further and truly understand how cybersecurity works, not to become an expert, but to stop being on the receiving end? My book Être en cybersécurité is made for that.
Questions fréquentes
Can my accounts be emptied using the data leaked from FICOBA?
No. The Fédération bancaire française confirms that this data alone is not enough to carry out a card payment or a transfer. A stolen IBAN can however, under certain conditions, be used to set up a fraudulent direct debit mandate, which is why it matters to monitor your statements.
What data was exposed?
The surname, first name, address, date and place of birth of the account holder, the IBAN, and in some cases the tax identifier. Neither the balance nor the transactions were obtained.
How did the attack happen?
The attacker stole the credentials of a civil servant with legitimate access to the register, then logged in over several weeks with no strong authentication, no monitoring and no alert. This is a human and organizational failure, not a sophisticated technical flaw.
What can I concretely do to protect myself?
Treat any contact you did not initiate as suspect and call the organization back yourself, check the accounts linked to you on impots.gouv.fr (under "Autres services"), enable two-factor authentication everywhere starting with your email, and monitor your direct debits regularly.
Sources & méthodologie
- Fédération bancaire française
- Direction générale des Finances publiques (DGFiP), impots.gouv.fr
- Rapport Surfshark sur les comptes compromis en Europe (2025)

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
