FICOBA: 1.2M accounts exposed — IAM and least privilege

In February 2026, France confirmed a breach affecting approximately 1.2 million bank accounts in the national FICOBA database, after a public agent’s credentials were fraudulently used. Here is what happened—and how rigorous Identity and Access Management (IAM) meets GDPR and NIS 2 obligations.

What happened

On 18 February 2026, the French Ministry of Economy announced that a threat actor, using an authorised agent’s credentials, had queried part of FICOBA “from late January 2026,” accessing data linked to around 1.2 million bank accounts. Exposed information includes the account holder’s identity, address, banking details (RIB/IBAN) and, in some cases, the tax number. The incident was notified to the data protection authority, and banks were warned about potential fraud. Sources: Anadolu Agency, 18–19 February 2026; ITPro, March 2026.

The pattern is familiar: a single high‑privilege account enabled mass access to highly sensitive data. No zero‑day here—rather an insufficiently constrained access chain where authentication, access conditions and monitoring did not prevent or limit exfiltration.

The applicable legal framework

• GDPR — Article 25 “Data protection by design and by default”: controllers must implement appropriate technical and organisational measures (including minimisation and confidentiality) by design and throughout the lifecycle. A robust IAM is one of those measures. References: EUR‑Lex — GDPR (Art. 25), CNPD LU guidance: CNPD. See our GDPR page.
• NIS 2 — Article 21 “Cybersecurity risk-management measures”: entities must implement measures explicitly including identity and access management, MFA, rights segmentation, and cyber hygiene. Reference: EUR‑Lex — Directive (EU) 2022/2555, Art. 21. In Luxembourg, ILR requires notifying significant incidents within 24 hours via SERIMA: ILR — Incident 24 h and ILR — SERIMA. For local expectations, see NIS 2 Luxembourg.

Bottom line: if large volumes of sensitive data can be accessed via a single account without proportionate safeguards (phishing‑resistant authentication, least privilege, session control, access logging/justification), this falls short of GDPR Art. 25 and NIS 2 Art. 21.

The technical remedy: least‑privilege IAM with conditional access

A modern IAM programme goes far beyond “creating accounts.” It orchestrates, evidences and automates the right level of access, at the right time, for the right person—and cuts everything else.

Key controls to implement (benchmarks: ISO/IEC 27001:2022 Annex A.5.16 Identity management, A.5.17 Authentication information, A.5.18 Access rights; NIST CSF 2.0 PR.AA; CIS Controls v8 #5 Accounts and #6 Access Control):

• Identity and role governance (IAG): role modelling (RBAC/ABAC), segregation of duties (SoD), periodic certification of high‑exposure entitlements.
• Just‑in‑time (JIT) access and controlled elevation: privileged rights are time‑bound, request‑based, approved, and recorded with justification.
• Conditional access and risk‑aware context: policies by location, device type, and resource sensitivity, with step‑up when risk increases.
• Phishing‑resistant strong authentication (FIDO2/WebAuthn) where appropriate, and lifecycle hardening of remaining secrets.
• Fine‑grained logging and traceability for reads/exports of sensitive data, with real‑time alerts on abnormal volumes or patterns.
• Logical data domain segmentation and governed “break‑glass” for emergencies.

Operational objective: even a legitimate but compromised credential should neither unlock broad access nor allow substantial exfiltration without friction or alerts.

How Luxgap delivers

• Our ISO 27001 governance: data/system mapping, critical roles and SoD, least‑privilege access model aligned to ISO 27001 A.5.16‑18, NIST CSF PR.AA and CIS v8. Risk‑based quarterly access reviews with audit‑ready evidence.
• Our 24/7 managed SOC: we correlate IdP, IAM/PAM, proxies and sensitive databases into a SIEM; UEBA on access behaviours with minute‑level alerts (e.g., IBAN read spikes off‑hours from unmanaged hosts). Explore our managed SOC.
• Our outsourced DPO and CISO: integrate IAM into GDPR privacy by design (Art. 25), maintain evidence registers (policies, DPIAs where needed, access reviews), and align incident thresholds/criteria with NIS 2.

Practically, we run three workstreams over 8–12 weeks: 1) sensitive‑data and role scoping, 2) deployment of conditional access/phishing‑resistant MFA/JIT, 3) onboarding access logs and SOC alert scenarios.

Case study in Luxembourg/EU

A fiduciary operating in Luxembourg/Belgium/France, classified as a NIS 2 “important entity,” stored clients’ banking data for reconciliations. Critical risk: permanently active “super‑user” accounts. In 6 weeks, we:

• replaced permanent profiles with approved, recorded JIT roles,
• enforced conditional access (managed devices only, geolocation and corporate network),
• ingested SSO/DB access logs into the SOC with abnormal‑export alerts.

Result: in an internal test, a compromised account could not access sensitive tables without step‑up and an approved ticket; the attempt triggered a correlated SOC alert and automatic block. Evidence (access reports, approval workflows, conditional access rules) was filed for GDPR Art. 25 and NIS 2 Art. 21 compliance.

First practical steps

1. Inventory “high‑impact” accounts and sensitive data (IBANs, tax numbers, ID documents), and map who can read/export what.
2. Eliminate standing admin rights: move to JIT with approval, time limits and mandatory recording.
3. Enable conditional access on critical resources: require managed devices and trusted networks; enforce stronger auth for bulk exports.
4. Run quarterly access reviews focused on sensitive scopes with segregation of duties.
5. Stream IdP, IAM/PAM and database access logs to your SOC/MDR and create three “high‑value” alerts (abnormal extraction, out‑of‑profile access, risky context).

The FICOBA incident underscores a simple truth: it’s not just “who logs in,” but “to what, when, how and how far.” Well‑designed, evidenced and monitored IAM makes credential abuse far harder—and demonstrates to ILR/CNPD and auditors that your controls are fit for purpose. For hands‑on support, our outsourced CISO and certified DPO teams steer implementation and evidence.

Official sources

• News — FICOBA: Anadolu Agency — France reports data breach affecting 1.2 million bank accounts (18–19 Feb 2026); ITPro — A single compromised account gave hackers access to 1.2 million French banking records (2026)
• Regulatory framework: EUR‑Lex — GDPR, Art. 25; EUR‑Lex — NIS 2, Art. 21; CNPD — Privacy by design/by default; ILR — 24‑hour notification • ILR — SERIMA

Get in touch to assess your IAM controls and sensitive‑data exfiltration detection.