In a digital heist reminiscent of a John le Carré novel, more than $9 million worth of greenhouse-gas emissions permits were stolen from the Czech Republic electricity and carbon trading registry this week and transferred to accounts in other countries, at the same time as the Prague-based registry office was evacuated due to a bomb threat.
That electronic theft, the latest in a series of security breaches affecting the market for carbon emissions, led the European Commission to suspend transactions in national European Union registries on Wednesday for a week.
"Three attacks have taken place since the beginning of the year and other registries are known to be vulnerable to similar attacks," the European Commission said in a statement today. "The Commission's best estimate is that roughly 2 million allowances, representing a total of less than 0.02 percent of allowances in circulation, have been illegally transferred out of certain accounts." The much-larger carbon futures market was not affected, the agency said.
Valued at 14.48 euros each, those 2 million allowances would be worth about $39.4 million based on today's trading.
Carbon emissions allowances, or permits, are not your typical computer hacker target. Similar to other commodities that are traded on spot and futures markets, European Union Allowances permit energy companies and industrial factories to trade their pollution permits by buying and selling allowances allocated by their government. For instance, a Romanian energy company that expects to emit less carbon dioxide for a particular year can sell its extra government-issued emissions allowances to a utility in Germany that expects to emit more carbon dioxide than its government permits.
Ostensibly, the trading system should be highly secure and trades carefully accounted for to prevent fraud and theft. But lax security at some of the registries and the fact that transactions can be completed quickly on the spot market are likely what is appealing to thieves, sources told CNET.
"It seems it is relatively easy to access the registries in this country and other countries," said Nikos Tornikidis, carbon portfolio manager at Blackstone Global Ventures, from whose account 475,000 allowances were stolen.
"Once you get your hands on the allowances, it is quite easy to sell them and the settlement is almost instantaneous," he told CNET in an interview today. "In a matter of hours you can get money out of the system. This doesn't happen when you trade other things."
The bomb threat coinciding with the theft of the allowances is just "too coincidental," said a trader close to the matter who asked to remain anonymous. "The registries have lax security," he said. "They don't have mechanisms to filter the accounts" by serial number to prevent theft.
Some people suspect that an insider was involved, the trader said, adding that he believes it was computer hacking instead.
The market was operating normally until around 12:30 p.m. Tuesday when Prague police received a tip of a bomb threat and the offices of the Czech registry, OTE, which stands for Electricity Market Operator, had to be evacuated, according to Reuters.
Early the next morning, employees at Blackstone Global Ventures went to check their carbon permissions account and noticed that it had been nearly emptied out. In addition, the contact information on the account had been changed, something that should only be accomplished by someone with administrator privileges at the registry, said Tornikidis.
Blackstone reported the matter immediately to the Czech Republic registry and was able to find out the unique serial numbers for the missing allowances, he said. "I hope that we managed to stop the trading at a point where our allowances are with the first buyers after the hacker sold them," he added.
The Czech Republic registry said a total of 1.3 million permits were missing from six accounts and that the digital assets were transferred to accounts in Poland, Italy, Estonia, Lichtenstein, and Germany, and possibly other countries, according to Reuters.
As custodian of the carbon emissions permissions, the OTE has a fiduciary obligation to account holders and should replace any that are missing, Tornikidis said.
"I don't know how it is possible in today's IT world that someone is able to hack into an account where someone's assets are and transfer them out," he said. "Why can't they follow the money trail?"
Jiri Stastny, chief executive officer at the OTE in Prague, could not be reached for comment and other employees at the government-run registry directed all calls to him.
The Czech Republic is not the only country to have security problems crop up in the relatively new carbon emissions trading market. The Austrian registry reported theft of allowances due to hackers last week and 1.6 million allowances belonging to cement maker Holcim in Romania were reported stolen from that country's registry in November. A year ago, 250,000 allowances were stolen in Germany after companies there were targeted by phishing attacks, according to reports.
The European Commission is likely to require additional security procedures at the national registries, such as passwords being sent to mobile phones or other two-factor authentication methods, according to a Bloomberg report.