Europe boasts that its control of polluting rights makes it a leading light in moves to save the planet, but patchwork national systems for trading carbon credits have simply left hackers licking their lips.
As of 7:00 pm on Wednesday (1800 GMT), the EU Emissions Trading Scheme (ETS), which allows around 12,000 companies including huge multinationals to buy and sell rights to pump industrial gases into the atmosphere, now and in the future, has been shut down.
It won’t re-open for a week after cyber criminals scuttled in and swiped two million “certificates” — free polluting permits issued by national European Union governments that are currently worth some 14 euros each.
Each certificate equates to one tonne of emissions, but the national systems of five EU states — Austria, the Czech Republic, Estonia, Greece and Poland — each fell victim to “concerted” online thievery over five days this week.
Credits stolen just from the Czech Republic were worth seven million euros.
The system’s weakness is the cause of enormous frustration in Brussels, which would like to have central control, and is an embarrassment as well as the EU tries to nudge international partners into deeper cuts to emissions over the coming decades.
The reason is it depends on 27 national guardians, who cannot agree on minimum cross-border online security standards.
The scheme will re-open on January 26 “but only with those countries which will have taken sufficient measures to reinforce their security,” according to a top EU official.
Fourteen of the 27 European Union states need to boost security around their entry points to the largest multinational, greenhouse gas emissions trading scheme in the world.
Maria Kokkonen, spokeswoman for Danish EU climate action commissioner Connie Hedegaard, did not list the countries immediately, but said powerhouse Germany was not among them as it had already ring-fenced its IT following a previous attack.
“We very much hope that this series of incidents speeds up the process” of tightening security ahead of a planned switch to an EU-wide registry in 2013.
“The sooner states take security measures, the sooner we can reopen the system,” she stressed.
Experts from the 27 states will meet in Brussels on Friday to try and hammer out new action.
All the hackers need are passcodes to get in, and the investigation under way will also try to establish whether there were insiders at any of the companies or servers involved.
Some 80 percent of transactions are for long-term annual quotas, but quick instant credits, for companies who need more and who buy them from those who don’t, involve instant payment.
The European Commission says hackers open an account in the system and close it as soon as the money is transferred.
The volume stolen and re-sold represents just a fraction of global permits, but the system has repeatedly suffered security breaches.
Last year a series of emails that was sent to trick users into divulging their passwords, a type of attack known as “phishing,” sparked panic and forced a halt in trading in 13 countries including Spain.
The European police organisation Europol estimate a value added tax (VAT) scam on carbon credits in 2008 and 2009 netted criminals five million euros.
