At least three agencies are investigating whether someone stole donors’ credit card numbers from the campaign of former U.S. Sen. Norm Coleman. And the state attorney general has been asked to look into whether the campaign broke any laws.

The campaign clammed up Friday, citing the inquiries, as criticism continued. A local law professor says he believes the campaign “clearly” broke two state laws, and a nationally recognized cyber-security guru called part of the campaign’s explanation “idiotic” and straining belief.

Earlier this week, a campaign attorney said he believed the campaign broke no laws, and Coleman cast himself as a victim of data theft.

The data was exposed to anyone with an Internet search engine for part of Jan. 28.

On Tuesday night, the self-described whistleblower Web site WikiLeaks.org blew the story open by e-mailing more than 50,000 people — whose names were contained on two databases, one of which included full credit card numbers and security codes of some 4,700 people — with the news that their information had been compromised. The next day, as proof, WikiLeaks posted two spreadsheets showing only the last four digits of the credit card numbers and the security codes.

It hasn’t been verified that the spreadsheets came from the Coleman Web site, but the campaign said it’s operating under the assumption they were, and a number of people contacted by the Pioneer Press said they donated online and that the credit card numbers and codes are real.

The U.S. Secret Service, state Bureau of Criminal Apprehension and St. Paul police said Friday they have opened investigations, and the state attorney general’s office has received a written complaint against the campaign from a Minneapolis Web developer who posted the complaint on the Internet. A spokesman for Attorney General Lori Swanson declined to comment on whether an investigation was open.

David Schultz, a professor at Hamline University School of Business, said he believes the campaign broke two state laws. One prohibits anyone from keeping the three- or four-digit security codes that mark the front or back of credit cards. “That clearly, clearly, looks like they violated that law,” he said.

The second is a law that requires immediate disclosure as soon as credit card data is compromised. The campaign began notifying donors only after WikiLeaks’ announcement. “The law doesn’t seem to say that there actually has to be a theft but a possible compromise of the consumer database,” Schultz said.

That’s a direct contradiction to top Coleman campaign officials, who claim they said nothing after the Jan. 28 exposure of the data because law-enforcement officials told them no one had actually accessed the data. Campaign attorney Fritz Knaak has said the Secret Service told the campaign “they had a virtual certainty” of that.

“That’s idiotic. There’s no other way to say it,” said Bruce Schneier, founder of an information security company and a nationally recognized expert who lives in Minneapolis. Investigators know good hackers can cover their tracks to make it impossible to detect a sneak, he said. Moreover, he said, on Jan. 28, no one needed to hack anything to get the data.

Schneier used the analogy of a house that wasn’t broken into, but rather was left with the front door wide open. “How can you say nobody walked in?” he said. “I can’t believe the feds or any investigator was that stupid. So either he (Knaak) misunderstood or is lying.”

The Pioneer Press e-mailed the campaign with a series of questions about these issues. Spokesman Tom Erickson responded, in part: “Given the sensitive nature of this attack, we will have no further comment on … this matter while it is under active investigation.”

The Coleman for Senate campaign filed a report Thursday with St. Paul police. A person named Tyler Olson “called to report a breach of an Internet server” between Jan. 28 and Wednesday, a report said, noting “no suspect information.”

Meanwhile, the WikiLeaks site itself drew more curiosity Friday.

Its media office e-mailed at least some of those named on its spreadsheets and told them, “Several national news organizations, such as the AP, and local organizations in MN have asked us for your feedback.” It went on to say that the media groups had a “pool” agreement in which WikiLeaks would act as a conduit for a request for a “one-time comment” of each supporter. It promised them confidentiality.

Doug Glass, Minnesota news editor for the Associated Press, said the AP knew nothing of this. WikiLeaks spokesman Jay Lim acknowledged the AP was not involved after the Pioneer Press, which also had no such agreement, questioned him.

Lim did not respond to a request about which news organizations had agreed to a pool. Such a third-party pooling agreement would be highly unusual because the media already have access to the donors’ contact information and because the Coleman campaign has questioned the involvement of WikiLeaks in what it has called “theft.”

Mara H. Gottfried contributed to this report.