Topgolf Callaway (Callaway) suffered a data breach at the start of August, which exposed the sensitive personal and account data of more than a million customers.
Callaway is an American sports equipment maker and seller specializing in golf equipment and accessories such as clubs, balls, bags, gloves, and caps.
The company is present in more than 70 countries worldwide and has an annual revenue of over $1.2 billion. It employs roughly 25,000 people.
In a letter sent to impacted individuals on August 29, 2023, the company explains that an IT system incident that occurred on August 1st has affected the availability of its e-commerce services and exposed certain customer information to an unauthorized entity.
The company says that it detected the incident early on and took immediate action to contain it. Compromised customer data includes:
- Full names
- Shipping addresses
- Email addresses
- Phone numbers
- Order histories
- Account passwords
- Answers to security questions
This impacts customers of Callaway and its sub-brands Odyssey, Ogio, and Callaway Gold Preowned sites that all operate under the same business umbrella.
Also, according to the data breach notification, the incident affected 1,114,954 individuals in the United States.
The notice clarifies that no payment card information, government ID, or Social Security Numbers (SSNs) were exposed due to the incident.
Because user account information such as passwords and security questions were exposed, Callaway has forced a password reset for all customer accounts to prevent unauthorized access.
To regain access, users are automatically directed to “callawaygolf.com/reset-password,” where they can find instructions on how to proceed.
If you are using the same credentials for other websites or online services, it is strongly recommended to change passwords to a string of alphanumeric and symbol characters. This precaution should minimize the risk of credential-stuffing attacks.
Finally, Callaway customers should be suspicious of communications requesting to share additional data and they should treat messages from unknown senders with as potentially malicious.