Verizon inadvertently shipped a refurbished Samsung Galaxy Z Flip7 with an active Mobile Device Management (MDM) profile to a longtime customer, allowing the carrier to remotely erase his personal data. This incident exposes potential gaps in Verizon’s handling and preparation of refurbished phones before resale.
- Verizon sent a refurbished phone with active corporate MDM control to a customer.
- Customer’s personal data was remotely erased due to the MDM profile.
- Security experts question Verizon’s refurbishment and data-wiping processes.
What happened
Tom Collery, a Verizon customer experiencing network issues in February, received a replacement Galaxy Z Flip7 phone from Verizon. Instead of a factory-reset refurbished device or new handset, the replacement was a store demo unit that still had a Mobile Device Management (MDM) profile installed. This profile allowed Verizon to remotely control the device, including erasing its data.
Collery used the phone for a couple of weeks before Verizon remotely triggered a full factory reset, deleting all of his personal information. Verizon acknowledged the issue and gave Collery a $400 credit and a second refurbished phone without MDM, but has not explained how the error happened or if similar incidents may have occurred.
Why it matters
The incident highlights significant concerns about how Verizon prepares refurbished phones for resale. Industry best practices require that used devices be thoroughly wiped and freed of management software before being sent to new users to protect prior owners’ data and maintain customer trust.
Security experts warn this failure could indicate wider systemic problems. If customers receive devices that retain previous users’ data or management controls, it could result in privacy breaches, unauthorized remote access, and loss of personal information, undermining confidence in carrier refurbishment programs.
What to watch next
Verizon says it is conducting an internal investigation but has yet to disclose its findings or any concrete steps to prevent recurrence. Industry observers and privacy advocates may call for more transparency and possibly external audits of refurbishment and data deletion procedures at Verizon and other carriers.
For customers, this case underscores the importance of not relying entirely on carriers to wipe personal data from devices before trade-in or resale and of verifying device resets after receiving refurbished units. It also raises potential legal considerations as affected users like Collery consider pursuing claims related to data loss and mishandling.