London, 19 January 2011

Several registries were shut Wednesday after a Czech firm said EUAs were stolen from its account. Blackstone Global Ventures told Point Carbon News by phone that 475,000 EU allowances (EUAs) had been stolen from its account at the Czech emissions registry some time on Tuesday. Emissions registries in Czech Republic, Poland, Estonia and Greece said on their websites that they had halted all transfers of carbon allowances under the EU’s emissions trading scheme, a move that will likely hinder spot trade in EUAs.

Austria’s registry also remained closed following a phishing attack on 10 January. “We are still looking at the Austrian issue and we have been informed that the Czech and Greek registries have also been attacked,” a European commission spokeswoman told Reuters.

“For the time being we know that EUAs have been stolen and the (commission) is looking into this. But the issue of security measures remains the responsibility of the EU member states’ registries.”

Bomb scare

The Czech emissions registry told Point Carbon News it had received a formal complaint from an account holder about a transfer which the company did not initiate, but would not give further details.

“It looks to be a different method from a simple phishing attack seen before ... it is very serious,” said Miroslav Rehor with the Czech registry.

He added that the registry’s headquarters had been evacuated for three hours on Tuesday, during which time the attack may have taken place.

“I have heard it was maybe a bomb scare (but) I don’t know if we can connect it (to the theft),” he added.

Hot potato

Nikos Tornikidis, a portfolio manager at Blackstone, said the EUAs were managed on behalf of at least one industrial installation, but could not identify whose accounts were breached as he said the Czech registry had not yet confirmed the missing credits’ ID numbers.

“We’ve heard the EUAs went to (an account in) Poland, then to Estonia, then to Liechtenstein, and the latest is they have left Liechtenstein, but we have no idea where they went after that,” he said, adding that Czech authorities had been notified.

Rehor confirmed the missing EUAs had been transferred to an account in Poland following the attack.

A spokeswoman at Poland’s emissions registry would not confirm whether it had closed because of the theft, saying only that it had shut for “security reasons” and that it could reopen this afternoon.

Greece’s and Estonia’s emissions registries were not immediately available for comment. A spokesman at Liechtenstein’s registry, which remained open on Wednesday, could not confirm the whereabouts of the missing credits, but said it was working with registries in Czech Republic, Poland and Estonia to investigate the claims.

Security

The attacks come two months after 1.6 million EUAs were stolen from a Romanian registry account owned by European cement producer Holcim.

Around 600,000 of the stolen allowances were identified in Liechtenstein’s registry and handed back to Holcim.

The remaining 1 million are believed to have been traded many times over, meaning most companies that bought the credits in good faith are likely to be allowed to keep the allowances.

Rehor said the Czech registry had previously planned to close at 1500 GMT on Wednesday in order to implement new software and hardware to beef up security.

“Today at least six registries were shut after a Czech firm reported that some 475,000 EU Allowances (EUAs) were stolen from its account yesterday. We cannot be categorical that the closures were due to the theft, but think it extremely likely,” Kjersti Ulset, Manager European Carbon Market at Point Carbon.

“Hacking attacks of this type have also occurred elsewhere within the EU in the recent past. Although such incidents are negligible in terms of actual market impact they will over time undermine the credibility of carbon trading as a policy measure to reduce emissions in Europe. Immediate actions to improve the security of EU registries are thus needed,” he added.

Ends --

By Michael Szabo,  www.pointcarbon.co