Carbon credit thieves still at large

Police are hunting for the perpetrators of a daring cyber attack in which 10 million euros worth of carbon credits were stolen within minutes from the Czech emissions allowance market in mid-January.

The Electricity Market Operator (OTE), which runs the country's registry for trading emissions allowances, has said the market will remain closed for at least six more weeks to allow for a full operational review following Jan. 19's massive heist.

OTE says it has already tracked down almost half of the 1,306,000 permits stolen and is close to recovering the remaining 690,000 EU Allowances, or EUAs.

However, the organization has admitted it has no idea who was behind the attack.

In a statement, OTE Director Jiří Šťastný said police were "investigating the full extent of the theft and the motives behind it."

"Our current priority is to trace all stolen allowances for their return to the original account holders, and restore confidence in emissions trading," Šťastný said.

Some 610,000 of the stolen EUAs have already been found by the registries for the German and Estonian carbon markets. The majority of the outstanding credits lifted from the Czech market are thought to be in UK-based accounts.

The recoveries were made after the OTE identified the unique serial numbers of the stolen credits and sent them to all other EU registries, as well as publishing them online.

Šťastný defended the six-week closure - which far exceeds the EU's initial assessment that registries would have to shut down for just a week - and denied any suggestion that the organization's IT security was inadequate.

"The reason for the long shutdown of our system is not the state of infrastructure, which is equipped to higher standards than those prescribed by EU regulations for the conduct of secure transactions," Šťastný said.

"We expect a longer hold-up time because we first need to work out the organizational and legal consequences of the attack on our system," he said.

He added that OTE also had to "ring-fence the whole environment" for long enough to allow police to "assess criminal responsibility."

Semi-state owned energy giant ČEZ was worst hit by the registry attack, losing 700,000 of its credits in two unauthorized transfers made during the cyber theft.

The company says it has filed its own criminal complaint about the incident, and lays the blame squarely on OTE.

"OTE is responsible toward ČEZ and other emissions permit registry users for the security of the carbon emissions permits on their accounts similarly as, for example, banks are responsible for the security of their clients' financial deposits," Eva Nováková, ČEZ press officer, said in a statement Jan. 27.

"We expect OTE within a few days to disclose more details of its approach to resolve the entire incident and to return to our accounts the permits that have been transferred in an unauthorized manner," Nováková added.

Emissions omissions

Although ČEZ declined to disclose the sum it lost, current market rates of 14-15 euros per one-ton pollution permit would value ČEZ's stolen allowances at about 10 million euros.

Brno-based Blackstone Global Ventures, which first spotted the theft and notified the OTE of the attack, was also severely hit, losing 475,000 of their credits.

The Czech Republic was the worst affected of five countries hit by the cyber attack, with thefts from the markets in Austria, Greece, Estonia and Poland bringing the total stolen to about 30 million euros.

The European Commission agreed Jan. 24 that each national market must furnish an independent report showing they are following a newly established set of security guidelines in order to have their trading suspension lifted. None of the five has yet reopened.

The EU Emissions Trading System (ETS) is slated to combine member states' individual markets into a single market in two years' time.

Although considered one of the union's flagship measures on climate change, the emissions markets - which had a combined turnover of more than 72 million euros last year - have been dogged by security breaches, with scams in 2009 and 2008 preceding this year's heist.

Bill Lehane can be reached at
blehane@praguepost.com