European Carbon Exchange Closed After £6m Theft

The European carbon trading market has been suspended for a week after two million carbon credits worth €7 million (£6 million) were stolen by hackers.

The temporary closure, after repeated security breaches, marks a serious failure for the trading system, which is part of a European strategy to provide incentives for utilities to  reduce their use of fossil fuels. Carbon trading schemes rely on moves to increase the price of carbon, but create a new currency with new opportunities for fraud.

A spokeswoman for the EU said that 14 of the 27 national trading registries need to boost their online protection “to minimum standards”.

A Year Of Credit Thefts

The countries affected have not all been named but Germany is not thought to be one of them. The security measures in that country have been stepped up over the past year following a phishing scam. This netted the scammers 250,000 carbon credit permits worth more than €3 million (£2.5 million) stolen from six German companies.

In a statement, the EU said the closure of the registries is a “transitional measure” taken “in view of recurring security breaches in national registries over the last two months”.

Hacking attempts listed in the document mention one on Austria’s registry last week and the theft of 1.6 million credits from Romania’s registry last November. As the various robberies were spread over eight weeks, it is assumed that other credits have been stolen but the total has not been disclosed.

The trigger event for the closure was the theft of the 475,000 allowances reported by a Czech carbon trader, Blackstone Global Ventures. The firm said that the stolen credits were transferred to Poland last Tuesday, then to Estonia, onwards to Liechtenstein after which the trail disappeared.

Alan Bentley, international senior vice president at operational endpoint security specialist Lumension, said that the theft may be worrying but the fact that a trading market has been paralysed is of greater concern.

“If the registry has been polluted by hackers, the market is in trouble,” he said. “The registry holds allocations for each EU country, meaning that if the integrity of that data has been compromised, it will be difficult to switch the market back on.”

The seven day suspension of the registries – until at least next Wednesday –  is an initial measure but the EU spoleswoman said that it will remain closed until the security systems are all in place.

“There is an obvious need for organisations that support critical infrastructure, to use more intelligent security defences,” observed Bentley. “Markets have contended with balancing their agility whilst incorporating bleeding-edge technology that errs on the side of caution.”

The thefts are particularly embarrassing for the EU which is on the verge of combining the registries and also has a major cyber-security initiative underway.