author photo
By Cam Sivesind
Wed | Sep 6, 2023 | 5:15 AM PDT

More than 1.1 million U.S. customers of Callaway, the American sports equipment maker best known for its golf equipment and accessories, had their personal data compromised in an early-August data breach.

In an August 29 letter, parent company Topgolf Callaway Brands Corp. alerted customers to the incident, disabling security questions and forcing them to take a mulligan on their passwords—requiring a reset of passwords for all accounts. From the letter:

"We are writing today to inform you of a recent IT system incident that impacted certain Callaway, Odyssey, Ogio and Callaway Golf Preowned customers. Please see below for information on how we responded, and action required in relation to your account password with our Callaway, Odyssey, Ogio, and/or Callaway Golf Preowned sites.

What Happened: Recently, we identified unusual system activity on or around August 1, 2023. Thankfully, due to the quick work of our team, we detected this incident early and took steps to contain it. Our customers experienced a temporary outage before our e-commerce services resumed."

The letter later added: "Importantly, no full payment card numbers and government identification numbers, such as Social Security numbers, were affected as we do not store this information."

Compromised customer data included:

•  Full names
•  Shipping addresses
•  Email addresses
•  Phone numbers
•  Order histories
•  Account passwords
•  Answers to security questions

Here are some comments regarding the breach from the cybersecurity vendor community:

Ryan Sher, Vice President of Threat Intelligence, Palo Alto Networks:

The breach "highlights the importance of having strong security measures in place to protect customer data." Sher also said that the company should have been using multi-factor authentication and other security measures to make it more difficult for attackers to gain access to its systems.

Stealthbits commented on the breach through a blog post by its Director of Threat Intelligence, Kevin Beaumont. Beaumont said that the breach was "a reminder that no company is immune to a cyberattack, regardless of their size or industry." He also commended Callaway for its quick response to the breach and for offering free credit monitoring to affected customers. However, he urged the company to take steps to improve its security posture to prevent future breaches.

Claude Mandy, Chief Evangelist, Data Security, at Symmetry Systems:

"My thoughts are with the impacted golfers and the dedicated incident response teams at Callaway that have worked tirelessly to address the situation. The combination of data breach and ransomware attack has become a distressingly common occurrence as threat actors attempt to leverage compromised data for financial gain through continued extortion.

While Callaway has been forthcoming about the extent and nature of the data that was breached, there are some aspects hinted at that warrant further  attention, including the root cause of the incident. More concerning is the appearance that the passwords and secret questions stored by Callaway were apparently left unprotected, devoid of encryption or hashing measures that are fundamental to secure sensitive information. This oversight in data security practices underscores a critical vulnerability within the organization's infrastructure."

Craig Jones, Vice President of Security Operations at Ontinue:

"The recent data breach at Topgolf Callaway highlights the vulnerabilities that even established corporations face. With over a million customers affected, the breach has significant implications for both the company and its clientele.

Reputation and Trust: One of the most immediate impacts of such a breach is the potential erosion of trust among customers. Callaway, a renowned name in the golfing world, has built its reputation over years. A breach of this magnitude can lead to skepticism about the company's ability to safeguard user data.

Callaway's long term response to the breach will play a crucial role in shaping public perception. They detected the incident early on and took immediate action to contain it, which is commendable. However, the time taken between the detection of the breach on August 1st and the notification to impacted individuals on August 29th might raise concerns. A delay in communication can be perceived as a lack of transparency or urgency, even if the company was working behind the scenes to understand the extent of the breach and take corrective measures.

Beyond the immediate costs of addressing the breach—which includes forensic investigations, legal consultations, and public relations efforts—Callaway might face potential lawsuits from affected customers. Additionally, there could be a temporary dip in sales as wary customers might hesitate to make online purchases from the company's platforms. Given the scale of the breach, regulatory bodies will likely investigate the incident. Callaway might face penalties if found in violation of data protection regulations, especially if they did not adhere to the required protocols or were lax in their cybersecurity measures.

The breach affected the availability of Callaway's e-commerce services. Such disruptions can lead to lost sales, especially if the systems were down during peak shopping times or important sales events. In response to the breach, Callaway will likely invest significantly in enhancing its cybersecurity infrastructure. This includes not just advanced firewalls and intrusion detection systems but also employee training and awareness programs.

While Callaway acted promptly to contain the breach, the incident underscores the importance of robust cybersecurity measures and timely communication with stakeholders. The long-term impact on Callaway will depend on their ongoing response, communication with affected customers, and measures to prevent future breaches."

Affected customers who use the same compromised password for other sites are encouraged to update their passwords on those sites, as well. Callaway customers should be suspicious of communications requesting to share additional data, and they should treat messages from unknown senders as potentially malicious.

Callaway is still investigating the cause of the breach, but the company says it believes it was due to a malicious attack on its IT systems. The company has taken steps to improve its security measures, including adding additional layers of protection around its data and improving its security protocols.

This is the second major data breach that Callaway has experienced in recent years. In 2019, the company was hacked and the personal data of more than 500,000 customers was exposed.