For Massachusetts Gardyn Customers

Specific consumer-protection options for residents of Massachusetts affected by CISA advisory ICSA-26-055-03.

This page summarizes general legal context for Massachusetts residents. It is not legal advice. Consult an attorney licensed in Massachusetts for advice specific to your situation.

What was exposed

Per CISA advisory ICSA-26-055-03 Update A, an unauthenticated cloud API endpoint (CVE-2026-28766) exposed records for approximately 134,215 customers, including names, email addresses, phone numbers, physical addresses, and the last_four partial credit-card field.

Massachusetts Data Security Law and Chapter 93A

Massachusetts has one of the strictest data security regulations in the U.S. (201 CMR 17.00) and a strong consumer-protection statute (M.G.L. c. 93A) that prohibits unfair or deceptive acts in trade or commerce and provides for double or treble damages plus attorney’s fees.

If you are a Massachusetts resident potentially affected:

File a complaint with the Massachusetts Attorney General’s Consumer Advocacy & Response Division at mass.gov/how-to/file-a-consumer-complaint.
Send a 30-day demand letter under c. 93A § 9 prior to filing a private action; this is a procedural requirement.
Consider class-action representation under c. 93A.

Consult a Massachusetts consumer-protection attorney.

Federal options (any state)

Federal Trade Commission consumer complaint at reportfraud.ftc.gov.
Identity theft reporting at identitytheft.gov.
Free fraud alert or credit freeze with the three U.S. credit bureaus (Equifax, Experian, TransUnion).

← All customer information