For New Jersey Gardyn Customers

Specific consumer-protection options for residents of New Jersey affected by CISA advisory ICSA-26-055-03.

This page summarizes general legal context for New Jersey residents. It is not legal advice. Consult an attorney licensed in New Jersey for advice specific to your situation.

What was exposed

Per CISA advisory ICSA-26-055-03 Update A, an unauthenticated cloud API endpoint (CVE-2026-28766) exposed records for approximately 134,215 customers. Per the maintainer’s coordinated-disclosure repository, each /api/users record enumerated twelve fields (full enumeration on the CVE-2026-28766 page), including personally identifiable information (name, email, mobile), a partial payment-card field (last_four — not full card number or CVV), account metadata, per-device IoT Hub credentials, and — critically — an Azure IoT Hub administrative credential (hub_conn_string, the iothubowner SharedAccessKey separately cataloged as CVE-2025-1242) granting Service Connect, Device Connect, and Registry Read/Write across the entire production IoT Hub. A separately-cataloged single-record companion endpoint (/api/user/{id}, CVE-2026-25197) returned per-user records — including physical addresses — by sequential integer ID with no authentication.

New Jersey breach-notification statute and consumer protection

New Jersey’s data-breach notification statute (N.J.S.A. 56:8-163) requires businesses that disclose personal information of New Jersey residents through a breach of security to notify both the affected individuals and the New Jersey Division of State Police, in advance of customer notification. The statute defines personal information to include first name (or first initial) and last name in combination with a Social Security number, driver’s license or non-driver identification number, account number, credit or debit card number (with any required security or access code), username or email address with a password or security question, or dissociated data that, if linked, would constitute personal information.

If you are a New Jersey resident potentially affected, you may:

File a consumer complaint with the New Jersey Division of Consumer Affairs at njconsumeraffairs.gov/Pages/Consumer-Complaint.aspx.
File a complaint or tip with the New Jersey Office of the Attorney General at njoag.gov/contact/.
Consider class-action representation. The New Jersey Consumer Fraud Act (N.J.S.A. 56:8-1 et seq.) prohibits unconscionable commercial practices and provides for treble damages and reasonable attorney’s fees on proof of an ascertainable loss caused by an unlawful practice.

Consult a New Jersey consumer-protection or class-action attorney.

Federal options (any state)

Federal Trade Commission consumer complaint at reportfraud.ftc.gov.
Identity theft reporting at identitytheft.gov.
Free fraud alert or credit freeze with the three U.S. credit bureaus (Equifax, Experian, TransUnion).

← All customer information