Michaels Stores, the US arts and crafts retail chain, confirmed in April 2014 that a data breach between May 8, 2013 and January 27, 2014 (approximately 9 months) had compromised approximately 2.6 million credit and debit card accounts from 877 Michaels stores and 54 Aaron Brothers stores (a Michaels subsidiary) across the United States. Michaels first publicly acknowledged a potential breach on January 26, 2014, shortly after reporting of the Target and Neiman Marcus breaches prompted wider scrutiny of retail security. Cards used at affected stores between May 2013 and January 2014 were at risk. Exposed data included payment card numbers, expiration dates, and CVV data. Michaels engaged Kroll and RSA Security for the investigation. The company offered customers 12 months of free identity protection services. This was Michaels’ second known payment card breach — a previous incident in 2010–2011 involved compromised PIN pad devices at ~90 stores. The Aaron Brothers subsidiary operated as a custom framing business within and adjacent to Michaels stores.