Wednesday, July 1, 2026
English edition

Development

Verizon sent man a refurbished phone with MDM, then deleted his data remotely

June 12, 2026 Development Source: Ars Technica

Verizon sent man a refurbished phone with MDM, then deleted his data remotely

Share this article

“The executive team had made a bunch of promises as far as investigating,” he said. But “they went from being seemingly helpful to, when I got to the highest level, I just got shut down.” Verizon gave Collery a $400 credit and another refurbished phone that did not have an MDM profile on it. The company also let him keep the phone with MDM, which he wanted for evidence. “I was allowed to keep the phone with the MDM on it and I was credited for that because otherwise they would have charged me for a full phone,” Collery told Ars. While Collery received a former demo unit, it’s probably more typical for customers to receive refurbished phones that previously belonged to other Verizon customers. It’s Verizon’s responsibility to ensure that such phones contain no personal data before they are sent to a new owner. Cooper Quintin, a security researcher and senior technologist at the Electronic Frontier Foundation, told Ars that the incident raises concern about “what Verizon means when they say ‘refurbished.’ I would expect a refurbished phone to be completely factory reset, like new essentially.” He said the incident “leaves me wondering how many refurbished phones still contain the original owner’s data.” Anyone shipping a used device back to a carrier should try to erase their data first, but it’s critical for Verizon to have a strict process for ensuring that any device is completely wiped and in a like-new state before sending it to someone else. Quintin said the incident should spur Verizon to conduct a thorough review of how the company handles refurbished phones before sending them to users. “Frankly, I think this should trigger not just an internal review, but I think this warrants outside investigation as well,” he said. While Verizon said it would conduct an internal investigation, Quintin said, “I don’t generally trust corporations to police themselves.” MDM profiles are used by company IT departments to remotely manage devices issued to employees. Needless to say, Verizon shouldn’t have this level of access to a customer’s device. The refurbished phone didn’t solve Collery’s problems with the Verizon network, but it otherwise seemed to work, at first. Collery, who lives in San Francisco, transferred data to the new device and returned the original phone. Then things got weird. After about 10 days, the phone was “repeatedly updating security updates and restarting,” Collery wrote in a Reddit post in April. Within another few days, “the phone restarted and came back on as if it had been factory reset,” he wrote. “I attempted to log into Google and Samsung accounts only to get messages saying I did not have permission and to contact my IT administrator for access,” Collery wrote. After the factory reset, it became clear that the phone was tied to Verizon’s MDM system. “This device is managed. Property of Verizon has configured this device to be fully managed,” a message displayed on the phone screen said. The message on the screen also said, “Device owned by Verizon” and “Protected with BricTECH.” That’s a type of device management system that supports Android phones. The unexpected restarts and factory reset experienced by Collery may have been evidence that Verizon was using its MDM system to send instructions to a large number of devices. “When you have a fleet of demo phones like this and you have MDM, you’re just sending instructions to all the phones,” Quintin said. If Verizon has a policy to wipe demo phones periodically, it might simply have been “time for that policy to kick in and that’s why his phone got wiped,” Quintin said. Collery’s data was gone from the phone, and it turned out that the backups to his Google and Samsung accounts weren’t as up to date as he thought they were. Collery, who works in healthcare, said in a phone interview, “I lost everything. Contacts, messages, videos, documents, pictures, everything from patient information to the last video I have with my grandmother before she died. Everything within a couple of years’ span for some reason is gone from both my backups, and everything that was on that phone originally was completely wiped.” After being dissatisfied with the response from Verizon support, Collery made the Reddit post and later reached out to Ars. He shared documents with us, including a letter Verizon provided to the Federal Communications Commission after he complained to the FCC. Verizon’s letter to the FCC, dated April 2, said Collery was mistakenly sent a store demonstration unit instead of a phone suitable for a paying customer. “We acknowledge the seriousness of the error that led to Mr. Collery receiving a device subsequently identified as a ‘demo phone,’ which was found to have a Mobile Device Management (MDM) registration linked to Verizon. This procedural lapse has been formally submitted for internal investigation,” Verizon’s executive relations department told the FCC. Collery said a Verizon supervisor assured him that refurbished phones are “like new” and go through a “150-point inspection.” Verizon said in its FCC response that all refurbished devices come from the manufacturer and insisted that they go through a strict process. “The Executive Office has advised that all Certified devices originate directly from the manufacturer and are designed to meet stringent quality assurance standards,” Verizon told the FCC. But Collery wasn’t finished. Concerned about the privacy implications of having used an MDM-controlled device, he asked Verizon for records disclosing what personal information was recorded by Verizon’s MDM software. He also wanted details about what commands were issued to the device. A Verizon executive relations representative told Collery in a May 12 email, “I received word back from the Legal team. In order to provide any details about the MDM, we would require a legal order.” Collery pointed out in a May 13 email to Verizon that under the California Consumer Privacy Act, companies are required to disclose the personal information they collect about a consumer when the consumer requests that information. Collery also warned Verizon that California’s invasion-of-privacy statute provides for damages of $5,000 per violation. Trying to end the dispute, Verizon offered to waive Collery’s current device payments. Collery told Ars that a Verizon representative asked him if this would be “enough for me to walk away from this situation.” Collery didn’t accept that offer and is pursuing his legal options. He sent Verizon a formal request for his data under the CCPA, and plans to file a complaint under the CCPA after giving Verizon time to respond to the data request. He submitted a notice of dispute to Verizon, which is a prerequisite for filing an arbitration case. He is also considering filing a case in small claims court. “While I am willing to continue to negotiate in good faith, it is difficult to negotiate fairly when Verizon is refusing to disclose basic details that would confirm exactly what information [was] exfiltrated from my device and who at Verizon issued the command to delete all of my personal data,” Collery told Verizon in the May 13 email. Retrieving the deleted data seems like a lost cause. Collery said Verizon advised him to take the phone to a uBreakiFix store, but a uBreakiFix employee was unable to recover any data because of the MDM profile. Quintin said that once MDM is removed from a phone, Verizon probably would not have any other method to extract data from it. Verizon also said it attempted to find Collery’s original phone, the one he had before receiving the replacement with MDM installed. “I am making a final attempt to see if we can recover your original device so you can attempt to recover information from it. I am not able to make any promises, but I am working with the Warehouse team currently to try to recover it,” a Verizon employee told him on April 24. Nothing came of that attempt. Even if the original phone had been located, extracting data would have been impossible—if the phone was properly wiped. To top it all off, Collery said the service problems that spurred him to contact Verizon in the first place were never resolved. Collery said his Verizon service did not improve even after he received the second refurbished phone to replace the demo unit. “My service is still abysmal,” Collery told us last week. “I can’t even get a GPS signal in front of my building. I usually have to drive at least a few blocks before anything works.”