Hello 😊⛷️,
I'll see you again for the February edition of Récap'IT.
Stolen identities, ransomware, digital sovereignty, IAM debt: this month's cyber news confirms one thing. The security perimeter no longer exists. What remains is identity and access management—or the lack thereof.
Enjoy your reading!
📅 On today's agenda:
FICOBA: 1.2 million bank accounts exposed
👉 Go !!
Before we begin, I invite you to follow us 👉
At the end of January 2026, a malicious actor gained access to FICOBA, the national bank account database managed by the DGFiP, by stealing the login credentials of a civil servant with inter-ministerial access. No zero-day vulnerability, no sophisticated exploit. A legitimate account, overly broad rights, no second authentication factor, and the door was open to the bank account numbers, IBANs, identities, and addresses of 1.2 million account holders for several days without triggering any alerts.
This is not an isolated case. A cross-analysis of major French public data breaches published by Laurent de Cavel, DPO, reveals a recurring pattern: France Travail in March 2024 (43 million people), Viamedis/Almerys in February 2024 (33 million), the Ministries of the Interior and Sports in December 2025, FICOBA in January 2026. Each time, the same three factors were at play: compromised credentials, lack of MFA, and late or non-existent detection. Marie-Laure Denis, president of the CNIL, put it bluntly: 80% of the major breaches in 2024 could have been prevented with two-factor authentication.
What makes the FICOBA case particularly instructive is that the attacker did not need to break down any doors. With valid rights, he navigated like an ordinary user: no permission anomalies, no privilege escalation to detect. The DGFiP reacted correctly, notifying the CNIL and ANSSI and cutting off access. But several days had already passed. This detection delay is the real operational issue: how long can a compromised account act freely in your systems before an alert is triggered?
Three areas stand out clearly: systematic MFA for all access to sensitive data, the principle of least privilege applied to inter-application accounts that are often too permissive, and the implementation of behavioral detection mechanisms capable of identifying abnormal extraction in terms of volume or frequency. These are fundamentals that have been reiterated in standards for years, and which incidents continue to bring back to the table.
Source: DPO partage, France Info, Impôt.gouv
Receive the best IT news of the month.
Market trends, IT trends, cyberattacks in France... a summary of the news
The Sophos Active Adversary 2026 report, based on analysis of 661 real incidents between November 2024 and October 2025, is unequivocal: 67% of attacks originate from compromised credentials. Not a software flaw, not a zero-day. An account. And once inside the network, it takes the attacker an average of 45 minutes to reach Active Directory. In other words, there is virtually no time to react if detection is not in place within the first few minutes.
What makes the picture even more uncomfortable is the evolution of methods. Groups like Scattered Spider no longer try to force open a reinforced door: they call IT support, pretend to be an employee, and ask for an MFA reset or the registration of a new device. Vishing, social engineering targeted at human procedures, bypasses even the most sophisticated technical controls. MFA alone is no longer enough if the processes surrounding its management remain vulnerable.
Another key finding from the Sophos report is that 88% of malicious payloads are deployed outside of working hours. Attackers understand that security teams are asleep, and they optimize their window of opportunity accordingly. Without continuous behavioral monitoring and automated detection capabilities, weekends and nights become comfort zones for attackers.
The conclusion is clear: identity security is no longer a technical issue that can be resolved with a tool. It is a governance issue that affects processes, access rights, support team training, and real-time supervision. Those who still treat IAM as a box to tick in an audit will continue to add to the statistics.
Source: IT for business, IT Pro
The United Kingdom is preparing to ban ransom payments for the public sector and critical infrastructure. France is not there yet, but the trajectory is clear: ANSSI strongly advises against paying, cyber insurers are tightening their conditions, and the responsibility of managers is increasing with NIS2 and the 2023-2030 Military Planning Law. Paying remains legally possible, but increasingly difficult to justify.
What this debate reveals above all is that the organizations that fare best are not those that negotiated the best insurance contract. They are those that anticipated the crisis: identifying critical systems, implementing immutable backups that were thoroughly tested, and establishing crisis procedures involving management, legal, and communications teams. Not theory, but practical operations.
The right question to ask internally right now is: if you were hit tomorrow morning, how long would it take you to get your essential systems back up and running without touching your wallet?
Source: Journal du Net
Every arrival creates access. Every departure leaves something behind. Every internal move generates new access without cleaning up the old. Multiply that by the growth of the organization and the stacking of SaaS, and you get IAM debt: an invisible stockpile of poorly calibrated rights and orphaned accounts that are never reviewed.
What makes it dangerous is that it is invisible—until the day an audit or attack suddenly makes it very visible. The incidents analyzed in this edition illustrate this mechanism perfectly: overly permissive accounts, rights that are never revoked, no traceability. François Poulet, CEO of Youzer, discusses this topic in an opinion piece.
Source: Undernews
Would you like to receive our white paper on identity and access management?
European leaders met in Belgium on February 11 and 12 to decide on the issue of technological dependence on the United States. The result: no consensus, two conflicting visions, and a reality that remains unchanged. According to Cigref, 80% of spending on professional cloud software and services in Europe goes to American companies. Arthur Mensch, the CEO of Mistral, spoke in Davos about Europe being on the path to "digital colonization."
For CIOs, the issue is less geopolitical than operational: which components of your infrastructure could be cut off, restricted, or subject to extraterritorial pressure overnight? France is moving forward in small steps: all government departments must migrate to the sovereign videoconferencing tool Visio by 2027. But beware of false refuges: offers labeled "sovereign cloud" deserve to be read closely. Some are based on American infrastructure operated by French players, which changes the operator but not the structural dependence.
Source: Journal du Net
On February 9, 2026, ANSSI structured its open source policy around four pillars: publishing its tools under free licenses, contributing to existing projects, supporting the ecosystem, and favoring open solutions internally. The agency defaults to the Apache 2.0 license, which allows commercial reuse without redistribution requirements. The underlying message remains the same: true technological mastery comes from code verifiability, not data center address.
Source: ANSSI
Not everyone has a connected HRIS. And even when one exists, some organizations prefer not to give access to it for security reasons, or have entire groups of people who are excluded from it: contractors, temporary workers, and external consultants. Youzer forms address these situations by triggering the same workflows as an HRIS synchronization, without having one.
In practical terms, a form covers four situations:
For organizations that used CSV imports, forms take over for each individual movement after the initial transfer. Less workload for IT teams, reliable processes, clear traceability—and the guarantee that no service provider will retain active access after their assignment has ended.
.webp)
Thank you for reading me this far!
Any feedback, want to discuss a project?
I'm here for that 👋.
We've sent you the newsletter and you think it's great? Sign up here 👇
Sharing this newsletter is what keeps it alive!
Every month I send you my discoveries, my analysis on IT news.
I do a lot of monitoring and I share it all!
I'm Mélanie and I'm Youzer's marketing manager.
About me? I have an unquenchable thirst for learning! I'd rather read a book 100 times than watch a movie. I'm a fan of HP 🧙🏼.
I do running and collective sport roller (don't look for it, it's dangerous).