For California Gardyn Customers

Specific consumer-protection options for residents of California affected by CISA advisory ICSA-26-055-03.

This page summarizes general legal context for California residents. It is not legal advice. Consult an attorney licensed in California for advice specific to your situation.

What was exposed

Per CISA advisory ICSA-26-055-03 Update A, an unauthenticated cloud API endpoint (CVE-2026-28766) exposed records for approximately 134,215 customers. Per the maintainer’s coordinated-disclosure repository, each /api/users record enumerated twelve fields (full enumeration on the CVE-2026-28766 page), including personally identifiable information (name, email, mobile), a partial payment-card field (last_four — not full card number or CVV), account metadata, per-device IoT Hub credentials, and — critically — an Azure IoT Hub administrative credential (hub_conn_string, the iothubowner SharedAccessKey separately cataloged as CVE-2025-1242) granting Service Connect, Device Connect, and Registry Read/Write across the entire production IoT Hub. A separately-cataloged single-record companion endpoint (/api/user/{id}, CVE-2026-25197) returned per-user records — including physical addresses — by sequential integer ID with no authentication.

California Consumer Privacy Act (CCPA / CPRA)

California provides notable statutory remedies for consumers in data breach matters. The CCPA, as amended by the California Privacy Rights Act (CPRA), provides a private right of action under Civil Code § 1798.150 for breaches of unencrypted, unredacted personal information caused by a business’s violation of its duty to implement reasonable security procedures.

If you are a California resident whose personal information was within the scope described in CISA CVE-2026-28766 (name, email, phone number, physical address, last-four payment card data), you may have rights including:

Statutory damages of $100 to $750 per consumer per incident, or actual damages, whichever is greater (Civ. Code § 1798.150).
Right to know what categories of personal information a business has collected about you, and right to deletion (Civ. Code § 1798.110, § 1798.105).
Right to file a complaint with the California Privacy Protection Agency at cppa.ca.gov or with the California Attorney General at oag.ca.gov.

Consult a California consumer-protection or class-action attorney for advice specific to your situation.

Federal options (any state)

Federal Trade Commission consumer complaint at reportfraud.ftc.gov.
Identity theft reporting at identitytheft.gov.
Free fraud alert or credit freeze with the three U.S. credit bureaus (Equifax, Experian, TransUnion).

← All customer information