For Texas Gardyn Customers
Specific consumer-protection options for residents of Texas affected by CISA advisory ICSA-26-055-03.
What was exposed
Per CISA advisory ICSA-26-055-03 Update A, an unauthenticated cloud API endpoint (CVE-2026-28766) exposed records for approximately 134,215 customers. Per the maintainer’s coordinated-disclosure repository, each /api/users record enumerated twelve fields (full enumeration on the CVE-2026-28766 page), including personally identifiable information (name, email, mobile), a partial payment-card field (last_four — not full card number or CVV), account metadata, per-device IoT Hub credentials, and — critically — an Azure IoT Hub administrative credential (hub_conn_string, the iothubowner SharedAccessKey separately cataloged as CVE-2025-1242) granting Service Connect, Device Connect, and Registry Read/Write across the entire production IoT Hub. A separately-cataloged single-record companion endpoint (/api/user/{id}, CVE-2026-25197) returned per-user records — including physical addresses — by sequential integer ID with no authentication.
Texas Identity Theft Enforcement and Protection Act
Texas has the Identity Theft Enforcement and Protection Act (Bus. & Com. Code Ch. 521) which governs breach notification and the Deceptive Trade Practices Act (DTPA, Bus. & Com. Code Ch. 17) which provides consumer-protection remedies including treble damages for knowing violations.
If you are a Texas resident potentially affected:
- File a complaint with the Texas Attorney General’s Consumer Protection Division at texasattorneygeneral.gov.
- Send DTPA-required pre-suit notice if pursuing private action.
- Consider class-action representation under DTPA.
Consult a Texas consumer-protection attorney.
Federal options (any state)
- Federal Trade Commission consumer complaint at reportfraud.ftc.gov.
- Identity theft reporting at identitytheft.gov.
- Free fraud alert or credit freeze with the three U.S. credit bureaus (Equifax, Experian, TransUnion).