Thousands of credit card numbers were stolen from a state government Web site that allows residents to register their cars and buy state permits, authorities said Friday.

The private company that runs http://www.ri.gov said that 4,118 credit card numbers had probably been taken, a state official said. All online transactions were suspended Friday until any possible security problems could be fixed.

"We just can't risk it," said Department of Administration Director Beverly Najarian.

The company, New England Interactive, originally told state officials late last month that eight credit card numbers were stolen during a security breach, but said Thursday that thousands had probably been taken, Najarian said.

The state didn't notify consumers in December about the breach, Najarian said, because it appeared limited and company officials promised security had been tightened.

Najarian said she did not know why the scope of the breach wasn't detected sooner, and the state will hire an outside consultant to conduct a security review.

State officials have decided to mail notices to the affected credit card holders, she said. So far, no fraudulent charges have been reported.

It would be difficult to use the stolen information for fraudulent purchases because the Web site only records partial credit card numbers, company spokeswoman Renee Loring said.

The breach was uncovered when a security company discovered a Web site in Russian, Najarian said. The author claimed he obtained 53,000 credit card numbers.

Loring said Web site was breached on Dec. 28, and far fewer than 53,000 numbers were stolen. She said the company notified credit card companies of the breach, but did not notify card holders.

Jeff Neal, a spokesman for Gov. Don Carcieri, said the company's contract to run the state's Web site expires this summer and the governor's office plans a review before deciding whether to extend it.

Steven O'Donnell, spokesman for the Rhode Island State Police, said a computer crimes team was investigating.

Loring said the company's other state Web sites for Maine, New Hampshire and Vermont were not affected.