Nothing says “Happy New Year!” like an investigation from the attorney general. Such is the reality for Wells Fargo & Co., which now must explain to Connecticut Attorney General George Jepsen why it may have disclosed customers’ Social Security numbers when it mailed them copies of subpoenas issued by the state Department of Social Services (DSS) as part of a fraud investigation.

The potential breach is just part of a larger probe by the Connecticut DSS into whether state employees falsified financial information for food benefits issued in the wake of Hurricane Irene in August 2011. Improper disclosure of Social Security numbers by individuals or entities without redaction is a violation of state law.

“My initial review suggests that neither Connecticut nor federal law required Wells to disclose DSS’s subpoenas to the customers whose records were sought therein,” Jepsen wrote in a letter to James Strother, Wells Fargo’s senior executive vice president and general counsel. “Nor am I aware of any reason to conclude that Wells was prohibited from redacting other individuals’ information from subpoenas it chose to disclose to customers.”

The AG’s office reports that 130 Social Security numbers, along with identifying information, were included on at least two subpoenas issued to Wells Fargo. The financial services firm purportedly then passed on copies of the subpoenas to its customers without redacting any of that personal information.

Jepsen also requested in the letter, dated Jan. 4, that Wells Fargo respond by next week.

“It is vital that you provide further information to my office concerning this matter so that I may determine the appropriateness of Wells’ conduct and whether Wells must provide affected individuals with protections against identity theft or other harms,” Jepsen wrote.

If a breach did occur, Jepsen wrote that he would ask the company to provide credit monitoring, identity theft insurance and security freeze reimbursement to the affected customers.

A Wells Fargo spokesman told Reuters that its “focus is on its customers and other individuals who were affected,” and that it will offer them the option of signing up for identity theft protection.