Gardyn Security Incident

← All customer information

For Massachusetts Gardyn Customers

Specific consumer-protection options for residents of Massachusetts affected by CISA advisory ICSA-26-055-03.

This page summarizes general legal context for Massachusetts residents. It is not legal advice. Consult an attorney licensed in Massachusetts for advice specific to your situation.

What was exposed

Per CISA advisory ICSA-26-055-03 Update A, an unauthenticated cloud API endpoint (CVE-2026-28766) exposed records for approximately 134,215 customers. Per the maintainer’s coordinated-disclosure repository, each /api/users record enumerated twelve fields (full enumeration on the CVE-2026-28766 page), including personally identifiable information (name, email, mobile), a partial payment-card field (last_four — not full card number or CVV), account metadata, per-device IoT Hub credentials, and — critically — an Azure IoT Hub administrative credential (hub_conn_string, the iothubowner SharedAccessKey separately cataloged as CVE-2025-1242) granting Service Connect, Device Connect, and Registry Read/Write across the entire production IoT Hub. A separately-cataloged single-record companion endpoint (/api/user/{id}, CVE-2026-25197) returned per-user records — including physical addresses — by sequential integer ID with no authentication.

Massachusetts Data Security Law and Chapter 93A

Massachusetts has one of the strictest data security regulations in the U.S. (201 CMR 17.00) and a strong consumer-protection statute (M.G.L. c. 93A) that prohibits unfair or deceptive acts in trade or commerce and provides for double or treble damages plus attorney’s fees.

If you are a Massachusetts resident potentially affected:

Consult a Massachusetts consumer-protection attorney.

Federal options (any state)

← All customer information