Earlier this week, Holcim Romania announced that on November 16, 2010 its CO2 accounts held within the Romanian National Registry for Greenhouse Gases were illegally accessed and that 1.6 million CO2 certificates, worth $19 million, were stolen.

One million CO2 allowances were transferred to an account in Liechtenstein. Another 600,000 CO2 allowances were transferred to a company in Italy, which has account registries in Italy and the UK. Some seem to have been further transferred to accounts in the Czech Republic, Great Britain and France.

Holcim Romania informed the Romanian Registry requesting blockage and recuperation of its CO2 allowances. Formal criminal investigations have been requested from Romanian law enforcement authorities. An international investigation has been initiated. EUAs have a unique identification number.

Now, the EU Commission says that a computer virus (called Nimkey) is to blame.

Last week, Germany’s registry said it blocked transactions until Dec. 3, after reports that access data was stolen from users of other European emissions trading registries with the help of Nimkey, Bloomberg reports.

With EUAs closed system, tracking the EUAs through the registry systems may be relatively easy, but Holcim may not get the allowances back, Owen Lomas, a consultant at Allen & Overy LLP’s climate change group, says in a Bloomberg article. In English law, assuming they were treated as a type of property, the legal owner would usually get the allowances back, but in some countries, such as Germany, an “innocent buyer” may be entitled to keep the permits.