NIC realized that more than eight credit cards might have been compromised last week, when it learned of information on a Russian-language Web site that appeared to discuss the hacking. NEI worked to cross-reference details on the Russian site against information it already had and on Thursday notified NIC, the state CIO, law enforcement officials and credit card companies that additional credit cards were involved in the hacking. That's when the company found that 4,117 credit card numbers had been stolen.

"NIC takes security matters very seriously," Harry Herington, chief operating officer of NIC, said in the statement. "We take responsibility for this incident and acted immediately to correct the breach upon discovering it. We will continue to work with Rhode Island state officials, law enforcement and the credit card companies to resolve this issue."

But in a letter to Augusta, Maine-based NEI, attorneys for the state indicated that Rhode Island officials learned of the breach only last week.

"[NEI] has so far provided incomplete and conflicting responses to the state's efforts to obtain accurate information regarding the size, nature and reason [of the breach]. This is unacceptable and has unnecessarily led to confusion and concern among users of the RI.gov Web site," said James DeGraw, an attorney at Boston-based Ropes & Gray LLP.

The state called on NEI to do the following: