The Californian Department of Motor Vehicles is investigating a potential security breach within its credit card processing services.
The DMV says there is currently "no evidence" at this time of a direct breach of its computer systems.
The breach is understood to have taken place between August 2013 and January 2014, and the data stolen may have included credit card numbers, expiration dates and three-digit security codes.
The agency was alerted to the issue by law enforcement officials after MasterCard alerted banks to compromised cards used for charges marked "STATE OF CALIF DMV INT".
In a statement, the company said: "In its investigation, the department is performing a forensic review of its systems and seeking information regarding any potential breach from both the external vendor that processes the DMV’s credit card transactions and the credit card companies themselves."
US-based law firm, Block & Leviton, has opened an investigation to determine whether the California DMV’s third-party credit-card processor, Elavon, acted negligently or breached any duties owed to DMV customers.
The DMV, which collects card fees via its website, had more than 11.9m transactions completed on its website in 2012.