For Illinois Gardyn Customers
Specific consumer-protection options for residents of Illinois affected by CISA advisory ICSA-26-055-03.
What was exposed
Per CISA advisory ICSA-26-055-03 Update A, an unauthenticated cloud API endpoint (CVE-2026-28766) exposed records for approximately 134,215 customers. Per the maintainer’s coordinated-disclosure repository, each /api/users record enumerated twelve fields (full enumeration on the CVE-2026-28766 page), including personally identifiable information (name, email, mobile), a partial payment-card field (last_four — not full card number or CVV), account metadata, per-device IoT Hub credentials, and — critically — an Azure IoT Hub administrative credential (hub_conn_string, the iothubowner SharedAccessKey separately cataloged as CVE-2025-1242) granting Service Connect, Device Connect, and Registry Read/Write across the entire production IoT Hub. A separately-cataloged single-record companion endpoint (/api/user/{id}, CVE-2026-25197) returned per-user records — including physical addresses — by sequential integer ID with no authentication.
Illinois Personal Information Protection Act and BIPA context
Illinois has the Personal Information Protection Act (PIPA, 815 ILCS 530) governing data breach notification, and the Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505).
If you are an Illinois resident potentially affected:
- File a complaint with the Illinois Attorney General’s Consumer Fraud Bureau at illinoisattorneygeneral.gov.
- Consider whether the Consumer Fraud Act provides a private right of action for the conduct at issue. Damages may include actual damages, attorney’s fees, and injunctive relief.
Consult an Illinois consumer-protection or class-action attorney.
Federal options (any state)
- Federal Trade Commission consumer complaint at reportfraud.ftc.gov.
- Identity theft reporting at identitytheft.gov.
- Free fraud alert or credit freeze with the three U.S. credit bureaus (Equifax, Experian, TransUnion).