For California Gardyn Customers
Specific consumer-protection options for residents of California affected by CISA advisory ICSA-26-055-03.
What was exposed
Per CISA advisory ICSA-26-055-03 Update A, an unauthenticated cloud API endpoint (CVE-2026-28766) exposed records for approximately 134,215 customers, including names, email addresses, phone numbers, physical addresses, and the last_four partial credit-card field.
California Consumer Privacy Act (CCPA / CPRA)
California is the most consumer-favorable jurisdiction in the U.S. for data breach matters. The CCPA, as amended by the California Privacy Rights Act (CPRA), provides a private right of action under Civil Code § 1798.150 for breaches of unencrypted, unredacted personal information caused by a business’s violation of its duty to implement reasonable security procedures.
If you are a California resident whose personal information was within the scope described in CISA CVE-2026-28766 (name, email, phone number, physical address, last-four payment card data), you may have rights including:
- Statutory damages of $100 to $750 per consumer per incident, or actual damages, whichever is greater (Civ. Code § 1798.150).
- Right to know what categories of personal information a business has collected about you, and right to deletion (Civ. Code § 1798.110, § 1798.105).
- Right to file a complaint with the California Privacy Protection Agency at cppa.ca.gov or with the California Attorney General at oag.ca.gov.
Consult a California consumer-protection or class-action attorney for advice specific to your situation.
Federal options (any state)
- Federal Trade Commission consumer complaint at reportfraud.ftc.gov.
- Identity theft reporting at identitytheft.gov.
- Free fraud alert or credit freeze with the three U.S. credit bureaus (Equifax, Experian, TransUnion).