Tribitat
IDMerit Data Breach Exposes 53 Million French Citizens’ Financial Data
FranceFebruary 20, 2026

IDMerit Data Breach Exposes 53 Million French Citizens’ Financial Data

A critical security failure at IDMerit, a key identity verification provider for French banks, left 53 million French citizens’ KYC data exposed. Here’s what you need to know and how to protect yourself.

Share

If you have a bank account in France, your complete identity profile, name, address, birth date, phone number, even copies of your ID, was likely sitting in an unprotected database for anyone to access. Not through sophisticated hacking, but through sheer negligence.

IDMerit, a company that handles identity verification for French banks and fintechs, left a MongoDB database wide open on the internet. No password. No firewall. Just a billion records, including 53 million French citizens’ most sensitive financial identity data, available to anyone who knew where to look.

What Actually Happened at IDMerit?

On November 11, 2025, cybersecurity researchers from Cybernews discovered a massive database, nearly one terabyte, hosted on a public MongoDB instance. The database belonged to IDMerit, a Know Your Customer (KYC) provider that helps French financial institutions verify client identities in real-time. The researchers immediately alerted the company, which secured the database the following day.

Here’s the critical distinction: this wasn’t a hack. No one broke in. IDMerit simply left the door unlocked. As one cybersecurity expert noted, on the internet, 24 hours is more than enough time for automated bots to crawl and copy an entire unprotected database. We don’t know who accessed it or for how long it was exposed before discovery.

The data was perfectly structured, a goldmine for cybercriminals. Unlike messy data dumps from old breaches, this contained clean, organized identity profiles that could be immediately weaponized for fraud.

The Data Exposed: Your Financial Identity, Fully Assembled

The IDMerit breach exposed what the industry calls KYC (Know Your Customer) data, the same information you provide when opening a bank account or verifying your identity for financial services. For 53 million French individuals, this included:

  • Complete identity: gender, full names, birth dates
  • Physical location: postal addresses with postal codes
  • Contact information: phone numbers and email addresses
  • Official documents: copies of identity cards
  • Telecom metadata: operator details and related information

This isn’t just personal data, it’s a complete financial identity kit. When combined with the recent DGFiP FICOBA breach that exposed 1.2 million IBANs and banking coordinates, criminals now have the pieces to assemble highly convincing fraud operations.

The French Banking Sector’s Hidden Weakness

IDMerit operates as a B2B service, which means you’ve probably never heard of them, even if they processed your identity verification. Their clients include major French banks and fintechs, but the company doesn’t put its logo on the verification process. You’re left in the dark about which third parties handle your most sensitive data.

The scale of the breach, 53 million French accounts, suggests IDMerit works with major financial institutions across France. When one user contacted the data protection officers (DPOs) at BoursoBank, Fortuneo, La Banque Postale, HelloBank, Revolut, and other institutions, they were trying to map the damage. The responses (or lack thereof) revealed the opacity of these relationships.

This highlights a systemic problem in French financial infrastructure: security failures in critical French financial infrastructure are often invisible to consumers until they explode into public view. When you trust a bank with your identity, you’re also trusting their unseen network of subcontractors, each representing a potential point of failure.

The Double Hit: FICOBA and IDMerit

The IDMerit breach didn’t happen in isolation. Just days earlier, the Direction Générale des Finances Publiques (DGFiP) announced that a malicious actor had accessed the FICOBA (Fichier national des comptes bancaires et assimilés), the national database of all bank accounts in France.

The FICOBA breach gave criminals 1.2 million IBANs, names, addresses, and in some cases, tax identifiers. The IDMerit breach adds the missing pieces: phone numbers, emails, and identity documents. Together, they create a terrifyingly complete profile for targeted attacks.

French authorities have contacted affected individuals, but here’s the uncomfortable truth: if you have a bank account in France, you’re in FICOBA. If you’ve opened an account in recent years, you likely went through a KYC process. The probability you’re affected by at least one of these breaches approaches certainty.

Regulatory Response: Too Little, Too Late?

The CNIL (Commission nationale de l’informatique et des libertés) is France’s data protection authority, but many French citizens have lost faith in its ability to enforce meaningful consequences. When one affected user considered filing complaints with both the CNIL and the public prosecutor, the community response was bleak: “La CNIL est aux fraises” (the CNIL is asleep at the wheel), and the justice system isn’t much better.

The frustration is palpable. Companies face minimal penalties for negligence that exposes millions to fraud risk. One commenter pointed out that while France demands ID verification for age-restricted websites, it fails to secure the sensitive data it mandates citizens to provide.

The DGFiP has filed a police report and notified the CNIL, but history suggests consequences will be limited. The real question is whether French regulators will finally treat data protection as a critical infrastructure issue rather than a compliance checkbox.

What This Means for You: The Fraud Risk Is Real

With your KYC data exposed, you’re now vulnerable to highly sophisticated phishing attacks. Here’s what criminals can do:

Targeted phishing (hameçonnage ciblé): They know your name, address, bank, and phone number. They can craft SMS or emails that look exactly like official communications from your bank or the DGFiP.

Identity theft: With your ID card details and personal information, they can attempt to open accounts in your name or take over existing accounts.

Social engineering: Armed with your complete profile, they can manipulate customer service representatives at banks or other institutions.

The DGFiP correctly warns that French tax authorities never ask for passwords or credit card numbers via message. But now criminals can reference your actual IBAN (from FICOBA) and your birth date (from IDMerit) to sound completely legitimate.

Concrete Steps to Protect Yourself

If you have a French bank account, treat this as a “when”, not “if”, situation. Here’s your action plan:

  1. Activate alerts: Set up transaction notifications for all accounts. Most French banks offer this via their apps.

  2. Enable two-factor authentication (2FA): Use it everywhere, especially on banking and email accounts. Avoid SMS-based 2FA if possible, use app-based authentication instead.

  3. Change passwords: Not because they were leaked, but because criminals with your personal data can craft convincing reset attempts. Use unique, strong passwords for each service.

  4. Monitor your accounts: Check your bank statements weekly, not monthly. Look for small test transactions, criminals often charge €1-2 first to verify an IBAN works before larger fraud.

  5. Block SEPA direct debits: If your IBAN was in the FICOBA breach, you can block unauthorized SEPA prélèvements (direct debits) through your bank.

  6. Verify everything: If you receive a call or message claiming to be from your bank or DGFiP, hang up and call back using the official number on their website. Never use contact details provided in the suspicious message.

  7. Document everything: If you suspect fraud, capture screenshots, save messages, and file a report on cybermalveillance.gouv.fr.

The Bigger Picture: Systemic Failure of Data Protection

These breaches expose a fundamental flaw in how France handles financial data. The state requires citizens to hand over sensitive information for tax compliance, banking, and identity verification, but the infrastructure protecting that data is clearly inadequate.

This is especially concerning given the rise of digital banking security risks and regulatory failures. As more French consumers move to neobanks and fintech apps, their data passes through an increasingly complex chain of subcontractors. Each link in that chain represents a vulnerability.

The IDMerit breach also raises questions about data minimization, a core principle of GDPR. Why was IDMerit retaining a billion records? Why did they need to keep copies of ID cards after verification was complete? French regulators need to start asking these questions before the next breach, not after.

What Needs to Change

French authorities must treat identity verification providers as critical infrastructure, subject to rigorous security audits and severe penalties for negligence. The current approach of voluntary compliance and symbolic fines isn’t working.

For consumers, the lesson is stark: tools for securing and managing personal financial data are no longer optional. Using password managers, enabling 2FA, and monitoring your financial footprint across institutions isn’t paranoia, it’s basic hygiene in a system that keeps failing you.

The IDMerit breach also highlights the value of open-source, self-hosted alternatives for financial tracking. When commercial platforms centralize millions of identities, they become irresistible targets. Distributed, encrypted solutions may be less convenient, but they limit the blast radius when (not if) the next breach occurs.

Bottom Line: Trust No One, Verify Everything

You’ve likely spent years building trust with your bank, assuming they were protecting your identity with the same vigilance they protect your money. The IDMerit breach proves that trust was misplaced.

Your financial identity, name, address, birth date, phone, email, ID documents, is now circulating in criminal circles. You won’t know if or when it’s used against you. The only defense is relentless verification of every communication, every transaction, every request for information.

French authorities will issue warnings and promises of reform. Banks will send reassuring emails. IDMerit will issue a carefully worded statement about “taking security seriously.” None of this changes the fundamental reality: 53 million French citizens are now more vulnerable to financial fraud than they were last week, and the institutions that failed them face no meaningful consequences.

Check your accounts. Enable 2FA. Verify every message. And next time a company demands your identity documents, ask them who they’re sharing them with, and how those third parties are protecting your data. The silence that follows will tell you everything you need to know about how seriously France takes your financial privacy.

#CNIL#DGFiP#FICOBA#IDMerit#Vérification d'identité
Keep Reading

Related Stories

Dutch Unrealized Gains Tax: A Warning Shot for French Crypto and Stock Investors?
France

Dutch Unrealized Gains Tax: A Warning Shot for French Crypto and Stock Investors?

The Netherlands just approved a 36% tax on paper profits from crypto, stocks, and bonds. Could this radical shift in taxation inspire French policymakers and upend your investment strategy?

Read story
FTX Recovery Fees: The Hidden Tax on Getting Your Own Money Back
France

FTX Recovery Fees: The Hidden Tax on Getting Your Own Money Back

Three years after FTX's collapse, European users are finally receiving their funds, minus unexpected withdrawal fees that turn recovery into another financial hit.

Read story
Bercy’s ETF Crackdown: Is Your PEA About to Get a Painful Makeover?
France

Bercy’s ETF Crackdown: Is Your PEA About to Get a Painful Makeover?

French finance ministry signals tighter rules on synthetic ETFs in PEA accounts, threatening tax advantages for 5.4 million investors. Here's what the regulatory rumblings mean for your portfolio.

Read story