The governor and attorney general of Connecticut pledged to continue to investigate the Bank of New York Mellon and its handling of the theft of backup tapes in February and April, after the financial institution again raised its estimate of the number of consumers affected by the breaches.

On Tuesday, the office of Attorney General Richard Blumenthal warned that an additional 135,000 Connecticut residents were affected by the theft of the tapes, which contained the unencrypted names, addresses, birth dates and Social Security numbers of more than 12 million people nationwide. Connecticut officials have actively investigated the bank for its delays in notifying customers of the loss of data.

On February 27, one of ten boxes of backup tapes was stolen from a van carrying the tapes to a data-storage facility. The tapes included information on Bank of NY Mellon's customers and other banks as well. In April, a courier service lost a single tape containing client and customer information, the bank said. Nearly three months after the original breach and following subpoenas issued by state prosecutors, the Bank of NY Mellon stated that 4.5 million people had been affected nationwide. On Tuesday, a half a year after the original breach, the bank nearly tripled that number.

"Mellon's delay in notifying is inexcusable and inexplicable," Blumenthal said in a statement. "More than 130,000 state residents are learning only now -- nearly seven months after the fact -- that their most sensitive personal data may have been stolen, exposing them to the nightmare of identity theft."

Stealing backup tapes is a low-tech, but effective, way to gather the information needed for identity theft. The most dangerous breaches, however, appear to result from network compromises an insiders. In March, grocery store chain Hannaford Brothers announced that information on more than 4 million credit and debit cards had been stolen from its transaction-processing network. In 2007, retail giant TJX announced that more than 45 million credit and debit cards had been stolen from its network, a number that court documents released at the end of the year more than doubled.

The latest increase in the number of people affected by the breach brings Connecticut's tally to 635,000. Connecticut, like many other states, has a law requiring that companies notify consumers whenever the theft or loss of data could lead to identity theft.

If you have tips or insights on this topic, please contact SecurityFocus.