Between 8 May 2013 and 27 January 2014, POS malware infected approximately 7.2% of Michaels stores’ point-of-sale terminals nationwide, capturing payment card data for approximately 2.6 million cards. A simultaneous attack on Michaels’ subsidiary Aaron Brothers affected approximately 400,000 cards. Michaels Stores is the largest US arts and crafts retail chain. The attack was sophisticated — the malware was engineered to avoid detection by Michaels’ existing security tools. The breach was discovered after patterns of fraudulent card activity were traced back to Michaels locations. Michaels investigated with FireEye and the US Secret Service. The breach was notable as one of the first wave of major US POS malware incidents, occurring in the same period as the Target, Neiman Marcus, and eventually Home Depot and other breaches, all attributed to Eastern European cybercriminal groups using variants of BlackPOS/Kaptoxa malware. Michaels disclosed the breach on 17 April 2014, over eight months after it began. Class-action lawsuits were filed. The breach contributed to growing pressure on US retailers to adopt chip-and-PIN payment technology.