AEC Holdco, LLC d/b/a Grace Design Studios, LLC recently disclosed a ransomware-related cybersecurity incident that may have exposed sensitive personal information belonging to current and former employees. According to the company, unauthorized actors accessed and acquired data from its network in March 2026. Grace Design Studios states it has since implemented additional cybersecurity protections and is offering complimentary identity monitoring services through Kroll.
Grace Design Studios’ Data Breach Investigation
According to a notice submitted to the New Hampshire Attorney General, Grace Design Studios discovered suspicious activity within its network environment on March 6, 2026. The company determined that it had been the victim of a ransomware incident involving unauthorized access to company systems.
After discovering the activity, Grace reportedly took immediate steps to secure its systems by taking portions of the network offline, deploying endpoint detection and response tools, and retaining outside cybersecurity professionals to conduct a forensic investigation. During the investigation, the company learned on March 13, 2026, that certain data from its network had been accessed and acquired by an unauthorized actor.
The company then undertook a detailed review of the affected data to determine what information was involved and identify impacted individuals. That review concluded on March 31, 2026, at which point Grace confirmed that personal information belonging to current and former employees was included within the compromised dataset.
According to the notice, the potentially affected information included individuals’ names and Social Security numbers. In some cases, the exposed data may also have included driver’s license numbers or state identification information. The company stated that notifications were initially sent to current and former employees, while additional reviews involving employee dependents were ongoing at the time of the filing.
Grace Design Studios reported that it notified affected individuals by U.S. mail beginning on April 30, 2026. The company also established a dedicated call center through Kroll and offered complimentary identity protection and credit monitoring services to impacted individuals. In response to the incident, Grace stated that it redesigned portions of its network infrastructure, implemented a Security Information and Event Management (SIEM) system, refined monitoring alerts, and developed updated information security policies and safeguards.
When Did This Breach Occur?
Grace Design Studios discovered suspicious activity on March 6, 2026.
The company later determined that unauthorized actors accessed and acquired data from the network by March 13, 2026. The review of affected data concluded on March 31, 2026, and notification letters were mailed beginning on April 30, 2026.
What Information Was Breached?
According to Grace Design Studios, the potentially exposed information may have included:
- Names
- Social Security numbers
- Driver’s license numbers
- State identification numbers
The company stated that the specific information involved varied by individual.
What You Can Do
If you received a notice from Grace Design Studios regarding this incident, there are several important steps you can take to help protect your personal information:
- Enroll in the complimentary identity monitoring and credit monitoring services offered through Kroll.
- Monitor your bank accounts, tax records, and credit reports for suspicious activity or unauthorized transactions.
- Consider placing a fraud alert or security freeze with Equifax, Experian, and TransUnion.
- Obtain free annual credit reports through AnnualCreditReport.com.
- Change passwords associated with sensitive financial or employment-related accounts.
- Remain cautious of phishing emails, phone calls, or text messages referencing the incident.
- Promptly report suspicious activity to financial institutions, the Federal Trade Commission, or local law enforcement.
The complimentary services offered through Kroll reportedly include:
- Credit Monitoring
- Fraud Consultation
- Identity Theft Restoration Services
Grace also encouraged affected individuals to remain vigilant by reviewing account statements and credit reports regularly for signs of identity theft or fraud.
File a Data Breach Lawsuit Against Grace Design Studios
Individuals affected by the Grace Design Studios data breach may have legal rights and could qualify to pursue compensation related to the exposure of their sensitive personal information. Data breach lawsuits may seek compensation for damages related to identity theft risks, financial losses, time spent addressing fraud concerns, and the loss of privacy associated with the unauthorized disclosure of sensitive data.
Companies that maintain Social Security numbers and other confidential employee information are expected to implement reasonable cybersecurity safeguards to protect that information from unauthorized access. When those protections fail, affected individuals may face long-term risks involving identity theft and financial fraud.
Contact us at Class Action U, where we’ll connect you with a lawyer skilled in class action lawsuits. If you’ve been contacted about this breach, received notice, or discovered you were impacted, fill out our quick, easy, and secure form to sign up. There is no cost to reach out to our legal partner and no obligation after speaking with someone from our team.
