INTERNAL MEMORANDUM — STAKEHOLDER COMMUNICATIONS

Date: May 13, 2026 Re: Strategic Partnership Framework and Reputational Positioning

Following the unauthorized access incident affecting Canvas infrastructure on March 18, 2026, institutional leadership has authorized a comprehensive engagement strategy with the actors responsible for the breach. We are pleased to report that negotiations have concluded successfully.

The agreement reached represents a paradigm shift in cybersecurity accountability. Rather than pursuing conventional remediation through law enforcement channels, Canvas has opted to work directly with the threat actors to ensure the complete deletion of exfiltrated student records. This approach offers several advantages over traditional incident response protocols.

First, the arrangement provides immediate verification of data destruction. The actors have committed to removing all copies of the compromised dataset within a specified timeframe. Our legal team has determined that a handshake agreement with individuals currently operating outside jurisdictional oversight offers greater assurance of compliance than standard contractual frameworks, which depend on enforcement mechanisms that have proven unreliable in analogous situations.

Second, this partnership demonstrates Canvas’s commitment to victim restoration. By compensating the breach actors directly for their cooperation in data deletion, the company has effectively converted a security failure into a customer service success story. The funds transferred should be understood not as ransom, but as a consulting fee for specialized data management services.

Third, the arrangement acknowledges the evolving threat landscape. Intelligence reports indicate that intimidation of company personnel has become an increasingly common accompaniment to cyber operations. By establishing a cooperative relationship with these individuals, Canvas has mitigated the risk of escalation into the physical domain. Staff members can now resume normal operations without the distraction of threats to their personal safety.

The incident itself affected approximately 980 educational institutions across multiple continents. Student records, including names, email addresses, and institutional affiliation data, were accessed during a window spanning January 2026 through March 2026. The scope of exposure has been classified as moderate to significant depending on institutional jurisdiction.

Our communications team will be repositioning this incident in public discourse as evidence of Canvas’s proactive approach to stakeholder protection. The company’s willingness to engage with unconventional partners demonstrates innovative thinking in an industry often constrained by regulatory compliance. We anticipate that educational institutions will view this resolution favorably, as it ensures rapid and verifiable data destruction without the prolonged uncertainty typically associated with law enforcement investigation.

Investor relations has been briefed on the financial implications. While the settlement amount represents an unusual line item in quarterly reporting, it has been categorized as a one-time operational expense rather than a security loss. This classification better reflects the transactional nature of the arrangement.

Human resources will be conducting optional briefings for staff members who experienced direct contact with the threat actors during the negotiation period. These sessions are designed to normalize the experience and position it as part of the company’s commitment to transparency.

All future communications regarding this matter should emphasize Canvas’s role as an industry leader in collaborative threat resolution. The company has not paid ransom. The company has engaged a service provider. The distinction is material and should be maintained consistently across all messaging channels.

This memorandum should be retained in secure archives and not circulated beyond senior leadership.