State technology officials sent letters Friday to 5,600 people and businesses informing them that a hacker obtained thousands of credit card numbers from the state Web site.
Although numbers are usually encrypted or shortened to the last four digits, the Office of Technology conceded a technical error allowed the full credit card numbers to remain on the system and be viewed by the intruder.
"Like thousands of web sites, the state.s web site is constantly under attack from hackers," the letter said. "To repel these attacks, the state has implemented the highest levels of security and submitted itself to regular independent audits to ensure that data is safeguarded."
"Despite these efforts, the state's web site recently experienced a security breach."
Chris Cotterill, director of the site, www.IN.gov, said the hacking occurred in early January but wasn't discovered until Jan. 25.
The next week was spent undergoing an outside audit, which revealed the credit card numbers had been compromised. That news came 10 minutes into the Super Bowl on Sunday.
"It was one thing that the hacker got in and another that they were able to access the info because of our technical mistake," Cotterill said Friday, noting that no disciplinary action has yet been taken.
"Our sole focus right now is the people who have been affected," he said.
The state has already notified the Secret Service and the credit card companies of those cards that were viewed. Each account has been placed on a watch list to track potential fraudulent activity. None has been apparent so far.
All three consumer reporting agencies have been contacted, and the affected cardholders were asked to review their credit card statements since Jan. 1.
"We had planned for this but didn't expect it," Cotterill said. "This has caused a top-to-bottom review of all Web activity."
He said the state Web site offers more than 300 online services and has been conducting online transactions for about a decade. Some examples include renewing a professional license, reserving a campsite, getting a crash report from the Indiana State Police and receiving business information from the secretary of state's office.
The letter was sent from "the IN.gov Team" and did not include the name of the person in charge - something Cotterill said he now regrets.
He said he signed his name to the first draft but was advised by staffers that Hoosiers receiving the letter could use his name to find his phone number and harass his family.
"I will say on the record that the buck stops with me, and I am deeply apologetic," Cotterill said.