Back to Blog
high severity November 19, 2025 · scope unconfirmed

mactavishco.ca Listed by safepay Ransomware Group

MacTavish & Co. is a small Canadian boutique retailer located in Medicine Hat, Alberta, specializing in curated home décor, gifts, …

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed November 19, 2025
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On November 19, 2025, the Canadian boutique retailer MacTavish & Co. appeared on the leak site of the safepay ransomware group. The small business, based in Medicine Hat, Alberta, had internal files stolen during a ransomware attack. While the exact number of people whose information was exposed remains unknown, any customer, supplier, or employee whose details were stored in those files could now be at risk.

Confirmed Facts from Reporting

Public reporting indicates that safepay listed mactavishco.ca after exfiltrating internal files. The data includes documents that likely contain names, addresses, email addresses, phone numbers, and payment records typical of a retail operation. No precise count of affected records has been published. The listing appeared on the group’s .onion leak site, which is the standard method ransomware operators use to pressure victims who refuse to pay.

November 19, 2025 marks the public disclosure date. The attack itself occurred earlier, following the group’s usual pattern of stealing data before encrypting systems or demanding ransom.

Why This Matters for You and Your Family

When a local retailer like MacTavish & Co. is hit, the information stolen is rarely limited to business records. Customer orders often include home addresses, phone numbers, email accounts, and payment details. If you or your family have shopped there, those details may now sit on a dark-web leak site. Once exposed, the information rarely stays contained. It can be sold, traded, or used to launch further attacks against you personally.

Small-business breaches now feed the same criminal ecosystem that targets households. Your family’s data becomes another commodity that links back to you across multiple platforms and accounts.

The Doxxing and Identity-Chain Implications

Stolen retail records rarely stop at a single leak. Criminals combine them with other publicly available or previously breached data to build detailed profiles. An email address from one purchase can be matched to a username on social media, a child’s gaming account, or a reused password on another site. This creates an identity chain that leads directly to your household.

Credential leaks of this type frequently cascade into account takeovers. A criminal who obtains your email and a password reused from a retail purchase can attempt to seize control of banking, email, or gaming profiles. Children’s gaming accounts are especially vulnerable because parents often share passwords or security questions across family devices. The result can be harassment, financial theft, or full doxxing where your home address, phone number, and family names are published together.

Safepay Group’s Known Track Record

Public reporting attributes the attack to the safepay ransomware group. The group emerged in recent years and follows a double-extortion model: it steals sensitive files before encrypting systems, then demands payment to prevent publication. Notable prior victims include other small and mid-sized organizations whose internal documents were later posted on the same leak site. Safepay’s typical playbook involves initial access through phishing or unpatched remote desktop services, followed by exfiltration of documents and databases, then extortion with deadlines that create urgency for the victim.

What to do

  • Run a DoxxScan to map every link between your emails, phone numbers, usernames, and real-world identity so you can see exactly what this breach connects to.
  • Rotate any password you used at MacTavish & Co. or similar retailers anywhere it has been reused, and switch to 2FA through an authenticator app rather than text messages.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next leak exposing you or your family is caught and addressed in hours, not months.
  • Cover the entire household with DoxxScan family protection, which extends to children’s gaming accounts that often chain back to the same addresses and credentials.
  • Let remediation specialists handle takedown requests across data brokers and leak sites so you do not have to negotiate with threat actors yourself.

The breach of MacTavish & Co. illustrates how quickly a single retailer’s compromise can ripple into personal exposure for ordinary families. Taking deliberate steps now limits how far criminals can travel down the identity chain created by this and future incidents. DoxxScan by GalaxyWarden provides continuous monitoring across 15.4 billion breach records and more than 100 platforms, AI-powered identity-chain mapping, and hands-on remediation by specialists, with household coverage that includes children’s gaming accounts.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.