For New York Gardyn Customers

Specific consumer-protection options for residents of New York affected by CISA advisory ICSA-26-055-03.

This page summarizes general legal context for New York residents. It is not legal advice. Consult an attorney licensed in New York for advice specific to your situation.

What was exposed

Per CISA advisory ICSA-26-055-03 Update A, an unauthenticated cloud API endpoint (CVE-2026-28766) exposed records for approximately 134,215 customers. Per the maintainer’s coordinated-disclosure repository, each /api/users record enumerated twelve fields (full enumeration on the CVE-2026-28766 page), including personally identifiable information (name, email, mobile), a partial payment-card field (last_four — not full card number or CVV), account metadata, per-device IoT Hub credentials, and — critically — an Azure IoT Hub administrative credential (hub_conn_string, the iothubowner SharedAccessKey separately cataloged as CVE-2025-1242) granting Service Connect, Device Connect, and Registry Read/Write across the entire production IoT Hub. A separately-cataloged single-record companion endpoint (/api/user/{id}, CVE-2026-25197) returned per-user records — including physical addresses — by sequential integer ID with no authentication.

New York SHIELD Act and consumer protection

The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act expands data breach notification obligations and imposes reasonable security requirements for businesses holding the private information of New York residents.

If you are a New York resident potentially affected, you may:

File a complaint with the New York Attorney General’s Bureau of Internet and Technology at ag.ny.gov/internet/complaint.
File a consumer complaint at ag.ny.gov/consumer-frauds/filing-consumer-complaint.
Consider class-action representation. New York General Business Law § 349 prohibits deceptive acts and practices and provides for actual damages plus attorney’s fees in successful actions.

Consult a New York consumer-protection or class-action attorney.

Federal options (any state)

Federal Trade Commission consumer complaint at reportfraud.ftc.gov.
Identity theft reporting at identitytheft.gov.
Free fraud alert or credit freeze with the three U.S. credit bureaus (Equifax, Experian, TransUnion).

← All customer information