BRUSSELS — European Union regulators said on Thursday that the value of greenhouse gas emission permits stolen in online attacks over recent days was about 28 million euros ($37.7 million) and that employees of companies connected to the system might have played a role in the thefts.
The European Commission shut down its Emissions Trading System, its main tool to control greenhouse gas emissions, on Wednesday to stop the spate of thefts. The commission, the European Union’s executive arm, initially put most of the blame on computer hackers and on poor computer security.
“The thefts could have been a concerted action because the recent incidents happened within the last few days,” Maria Kokkonen, a spokeswoman for Connie Hedegaard, the European Union commissioner for climate policy, said on Thursday.
The people behind the thefts “might be one source, or it might be many,” Ms. Kokkonen said.
Another European Union official, who, in accordance with the bloc’s policy on background briefings, spoke only if not identified by name, said some companies that regularly use the system had acknowledged that their employees could be implicated in the thefts.
The thefts were carried out at electronic registries in Austria, Greece, the Czech Republic, Poland and Estonia, according to the commission.
The commission said spot trading at all European Union registries, which track ownership of allowances, would be suspended until at least Wednesday. It said that the next step to shore up the system, which is the world’s largest platform for trading emissions credits, was to meet on Friday with representatives of the 27 member states to ensure that all countries carried out security upgrades.
The stolen permits are part of a system that caps the amount of carbon dioxide, the main greenhouse gas, that companies may emit each year. Companies exceeding their emissions quotas can buy certificates from companies that succeeded in shrinking their carbon footprint.
Officials said it remained too easy to gain access to the system in about half of all European Union countries. In some cases, traders do not have to go through a “two-step” identification procedure that is akin to what many consumers use to gain access to their online bank accounts.
A similar attack that took place a year ago in Germany prompted European Union officials to issue additional security guidelines. But the officials insisted that there had been no need to shut the system down sooner or to do more to verify the security of the system, because there had been no sign of a recurrence of such severe problems until the most recent spate of attacks.
“Security is the responsibility of the national member states for their own registries,” Ms. Kokkonen said, adding that the commission “would remind member states to take measures.” She said the current national system would largely be eliminated by 2013, when a single registry would be introduced.
BlueNext, one of the biggest greenhouse gas exchanges in Europe, said on Thursday that it had asked the authorities in countries like the Czech Republic and Austria for a definitive list of the serial numbers of any stolen permits so that BlueNext could remove them from the market. The step is intended to give buyers confidence they are not holding stolen permits that might later be invalidated.
By taking those permits “out of play, confidence in the market may be restored,” said Keiron Allen, a spokesman for BlueNext, based in Paris. Compensation for traders holding stolen permits would probably vary from country to country, he said.
Mr. Allen said BlueNext had suggested to the European Commission the creation of an electronic notice board so that national registries could report suspicions about stolen permits as soon as they were identified, allowing traders and exchanges to take precautionary measures swiftly.