Golf club maker Callaway says 1 million affected by data breach

The company that sells the Callaway brand of golf gear reported a data breach that affected more than 1 million people.

Topgolf Callaway Brands Corp. has been notifying customers that some users of its e-commerce websites had information exposed in an “IT system incident” that began August 1.

The breach affected customers of the “Callaway, Odyssey, Ogio, and/or Callaway Golf Preowned sites,” the company said. Exposed information included account passwords and answers to security questions, as well as names, mailing addresses, email addresses, phone numbers and order histories.

“Upon learning of the incident, Topgolf Callaway initiated an investigation with the assistance of external advisors and notified law enforcement,” the company said. The breach was discovered on August 16 and the company began notifying customers on Tuesday, according to a listing from the Office of the Maine Attorney General.

No payment card numbers or Social Security numbers were affected, Topgolf Callaway said.

The company forced a password reset for customers and said it “has taken a number of additional steps to further secure its data, including adding protective security layers around its data, improving security protocols that govern access to its systems, and continuing to work with outside experts to enhance the security of its systems.”

Topgolf Callaway, based in Carlsbad, California, did not specify the nature or source of the incident.

The company’s chain of outdoor Topgolf recreation centers is not mentioned in the notice to customers.