France’s Ministry of Economy and Finance confirmed on February 18, 2026 that a malicious actor gained unauthorized access to the country’s national bank account database, exposing data tied to approximately 1.2 million accounts. The breach went undetected from late January until authorities identified the intrusion and moved quickly to shut it down.
What Was Accessed
The compromised database, maintained by the Direction Générale des Finances Publiques (DGFiP), holds records for all bank accounts opened at financial institutions in France. The data accessed includes bank account numbers, account holder names, postal addresses, and in some cases, tax identification numbers.
The DGFiP clarified that the breach did not expose account balances or allow the attacker to directly conduct financial transactions. However, the French Banking Federation warned that the stolen IBAN data could enable fraudsters to request unauthorized direct debit payments by registering as authorized debit issuers and forging debit mandates — the kind typically used for utility bills or loan repayments — and could be used to sign up for subscriptions charged to stolen IBANs.
Beyond that, the combination of data accessed is more than enough to fuel targeted phishing campaigns, identity theft, and social engineering attacks, particularly fraudsters posing as bank representatives.
How It Happened
The attacker gained entry by using the stolen credentials of an official who had legitimate access to the database. Rather than exploiting a technical vulnerability, the attacker simply used a valid set of credentials to quietly browse parts of the database from late January onward.
Once the unauthorized access was detected, the ministry implemented measures to block the actor, restrict further access, and prevent data from being exported. Authorities filed a criminal complaint and notified CNIL, France’s data protection authority, and the 1.2 million affected account holders will be notified individually.
As of now, the attacker’s identity and motivation have not been publicly disclosed, and it remains unclear whether this was the work of a nation-state actor or a financially motivated cybercriminal.
Part of a Larger Pattern
This incident doesn’t exist in a vacuum. France has been contending with a sustained wave of data breaches over the past two years. In 2024, a breach at France Travail (the national employment agency) compromised the personal data of up to 43 million people, an incident for which CNIL issued a €5 million fine in January 2026.
In late 2025, Pajemploi, a social security service for childcare workers, disclosed a breach affecting over a million employees. And in December 2025, a cyberattack knocked La Poste’s information systems offline, disrupting digital banking and online services for millions of customers.
When Credentials Are the Vulnerability
What makes this breach particularly worth examining is the attack vector. A single stolen credential belonging to a privileged official was enough to access a national financial database containing records on over a million people, with no technical exploit required. Privileged access that’s permanent, broadly scoped, and protected by a single layer of authentication creates a situation where one compromised account can cause outsized damage.
Just-in-time access provisioning, least-privilege policies, and multi-factor authentication on privileged accounts all serve to reduce the blast radius when credentials are compromised. None of these are novel concepts, but incidents like this one are a reminder that they’re still far from universally applied, even at the government level.
What This Means for Organizations
The incident is a reminder that social engineering risk doesn’t stop at the perimeter. Employees whose banking data was exposed may become targets for follow-on attacks, and those attacks can bleed into the workplace through phishing attempts or credential theft. Security awareness training and clear reporting procedures are worth revisiting in light of breaches like this one.
Organizations operating in France should also assume that some portion of their workforce is among the 1.2 million affected. With names, addresses, bank account numbers, and in some cases tax IDs now potentially in circulation, employees may start receiving highly convincing fraudulent communications in the coming weeks.
A brief, clear internal notice reminding staff what their bank will and won’t ask for over the phone or email is a low-effort step that could prevent a much costlier problem down the line.
