"We haven't had a figure like two million allowances being stolen before," said Maria Kokkonen, spokesperson for EU Climate Action Commissioner Connie Hedegaard.
"It is the biggest."
On 19 January, the European Commission suspended trading in carbon spot markets after the disappearance of 475,000 EUAs from the Czech national carbon registry, and a series of other attacks, prompted national registries there and in Greece, Estonia, Poland and Austria to shut down.
The stolen credits, which make up around 0.02% of the ETS's total value, were then cashed on the spot markets within minutes.
Questions have been raised about the level of attention that some countries have been giving to the ETS. Jos Delbeke, director-general at the Commission's climate action department, said: "I'm a bit speechless about the negligence some member states have been showing."
His concern was shared by spokesperson Maria Kokkonen. "We have continuously urged member states to enhance their security measures," she told EurActiv.
"It is in their interests to protect their companies. We have 14 member states whose registries are not upgraded when it comes to security measures," Kokkonen said.
Hacking and 'phishing'
All EU national carbon registries are now expected to stay closed until identification protocols in problematic computer systems are strengthened. "The sooner they increase the security measures, the sooner we can re-open the systems," Kokkonen said.
Trevor Sikorski, director of carbon markets and environmental products research at Barclays Capital, predicted that the closure could cost carbon traders around €70m per week.
EU officials attribute the theft to a mixture of computer hacking and "phishing" scams, where bogus websites are created that trick investors into providing fraudsters with password details.
These are used to access the permits, which are then sold on open spot markets within markets by traders using fictitious identities. The Commission refused to rule out the possibility that traders from some firms within the ETS were responsible for the fraud.
The stolen EUAs are thought to have been transferred to an account in Estonia, one of the first countries to shut its registry on Wednesday.
After a series of VAT "carousel" and "phishing" frauds last year, the Commission proposed tighter security measures. But a number of member states declined to implement them because they said they could not afford to.
One Commission official pointed out that tens of thousands of euros spent on security could prevent millions of euros in losses. "It is also a question of their national image," EU spokesperson Kokkonen told EurActiv.
Stig Schjolset, a senior market analyst at Point Carbon, said the lockdown of the spot markets would also lower the volume of trading on futures markets. "It is definitely very bad for market confidence," he told EurActiv.
"It is also very bad for the reputation of the carbon market because it adds to other similar incidents we've had over the last couple of years," Schjolset said.
He estimated that half of EU member states had not implemented agreed security updates due to manpower, funding and prioritisation issues.