Verizon sent one of its customers a “refurbished” phone equipped with a Mobile Device Management (MDM) profile that gave the company remote control over the device. The serious mistake raises questions about Verizon’s process for preparing refurbished phones to be sent to customers.

Tom Collery, the unlucky Verizon customer, called Verizon in February after having network problems, including dropped calls. Verizon responded by sending him a replacement for his phone, a Samsung Galaxy Z Flip7. But instead of a brand-new device or a properly functioning refurbished one, Verizon sent Collery a device managed with the same kind of software used to monitor and control company-owned phones.

It turned out the device was a store demo unit that wasn’t properly wiped before it was sent to Collery. He said he used the phone for a couple of weeks before all of his data was erased, seemingly due to a remote action that triggered a complete reset.

Verizon said it would conduct an internal investigation into the mistake that afflicted Collery, but it hasn’t revealed how the error occurred or what the company is doing to ensure it or something similar won’t happen again. Verizon did not answer any of our specific questions except to say it was aware of Collery’s problem and was working to address it.

“We are aware of this customer’s concern and are actively and directly working with him to address it,” Verizon told Ars in the only comment it provided to us in the seven weeks since we first contacted the carrier about the incident.

Verizon “made a bunch of promises”

Collery told Ars that he has been a Verizon customer for 22 years. He was hoping Verizon would offer a full explanation of what happened and make an effort to help him recover data that was lost when the phone was remotely reset. Collery said he may switch to another carrier but that for now, he is focused on taking legal action against Verizon.

“The executive team had made a bunch of promises as far as investigating,” he said. But “they went from being seemingly helpful to, when I got to the highest level, I just got shut down.”

Verizon gave Collery a $400 credit and another refurbished phone that did not have an MDM profile on it. The company also let him keep the phone with MDM, which he wanted for evidence.

“I was allowed to keep the phone with the MDM on it and I was credited for that because otherwise they would have charged me for a full phone,” Collery told Ars.

While Collery received a former demo unit, it’s probably more typical for customers to receive refurbished phones that previously belonged to other Verizon customers. It’s Verizon’s responsibility to ensure that such phones contain no personal data before they are sent to a new owner.

Concern about Verizon security practices

Cooper Quintin, a security researcher and senior technologist at the Electronic Frontier Foundation, told Ars that the incident raises concern about “what Verizon means when they say ‘refurbished.’ I would expect a refurbished phone to be completely factory reset, like new essentially.” He said the incident “leaves me wondering how many refurbished phones still contain the original owner’s data.”

Anyone shipping a used device back to a carrier should try to erase their data first, but it’s critical for Verizon to have a strict process for ensuring that any device is completely wiped and in a like-new state before sending it to someone else.

“Are they going to fail to delete your data off it before they refurbish it and sell it to somebody else?” Quintin asked. “If they failed to delete the MDM off it in this case, it seems to me like that’s something that could happen again. I think it raises the question of what are their practices, exactly, for wiping and resetting refurbished phones, and are there other instances where… the previous owner’s data has been left on a phone that was sold to somebody else?”

Quintin said the incident should spur Verizon to conduct a thorough review of how the company handles refurbished phones before sending them to users. “Frankly, I think this should trigger not just an internal review, but I think this warrants outside investigation as well,” he said. While Verizon said it would conduct an internal investigation, Quintin said, “I don’t generally trust corporations to police themselves.”

MDM profiles are used by company IT departments to remotely manage devices issued to employees. Needless to say, Verizon shouldn’t have this level of access to a customer’s device.

Unexpected factory reset

The refurbished phone didn’t solve Collery’s problems with the Verizon network, but it otherwise seemed to work, at first. Collery, who lives in San Francisco, transferred data to the new device and returned the original phone. Then things got weird.

After about 10 days, the phone was “repeatedly updating security updates and restarting,” Collery wrote in a Reddit post in April. Within another few days, “the phone restarted and came back on as if it had been factory reset,” he wrote.

“I attempted to log into Google and Samsung accounts only to get messages saying I did not have permission and to contact my IT administrator for access,” Collery wrote.

After the factory reset, it became clear that the phone was tied to Verizon’s MDM system. “This device is managed. Property of Verizon has configured this device to be fully managed,” a message displayed on the phone screen said.

The message on the screen also said, “Device owned by Verizon” and “Protected with BricTECH.” That’s a type of device management system that supports Android phones.

The unexpected restarts and factory reset experienced by Collery may have been evidence that Verizon was using its MDM system to send instructions to a large number of devices. “When you have a fleet of demo phones like this and you have MDM, you’re just sending instructions to all the phones,” Quintin said.

If Verizon has a policy to wipe demo phones periodically, it might simply have been “time for that policy to kick in and that’s why his phone got wiped,” Quintin said.

Verizon admitted mistake in letter to FCC

Collery’s data was gone from the phone, and it turned out that the backups to his Google and Samsung accounts weren’t as up to date as he thought they were. Collery, who works in healthcare, said in a phone interview, “I lost everything. Contacts, messages, videos, documents, pictures, everything from patient information to the last video I have with my grandmother before she died. Everything within a couple of years’ span for some reason is gone from both my backups, and everything that was on that phone originally was completely wiped.”

After being dissatisfied with the response from Verizon support, Collery made the Reddit post and later reached out to Ars. He shared documents with us, including a letter Verizon provided to the Federal Communications Commission after he complained to the FCC.

Verizon’s letter to the FCC, dated April 2, said Collery was mistakenly sent a store demonstration unit instead of a phone suitable for a paying customer.

“We acknowledge the seriousness of the error that led to Mr. Collery receiving a device subsequently identified as a ‘demo phone,’ which was found to have a Mobile Device Management (MDM) registration linked to Verizon. This procedural lapse has been formally submitted for internal investigation,” Verizon’s executive relations department told the FCC.

Collery said a Verizon supervisor assured him that refurbished phones are “like new” and go through a “150-point inspection.” Verizon said in its FCC response that all refurbished devices come from the manufacturer and insisted that they go through a strict process.

“The Executive Office has advised that all Certified devices originate directly from the manufacturer and are designed to meet stringent quality assurance standards,” Verizon told the FCC.

Verizon told FCC case was “resolved”

Verizon’s letter didn’t say who handles phone refurbishment. Quintin said that if Verizon uses a contractor to wipe phones and it didn’t wipe the MDM profile, it “makes me wonder, is that other company wiping data at all? Are there a lot of phones going through that company that just don’t ever get a factory reset?”

Verizon’s letter to the FCC also discussed the network problems that led Collery to contact the company. It said Verizon investigated and found “that some customer devices in the area have recently reported less than optimal coverage. These customers may experience fluctuations in signal/coverage on a daily basis due to a variety of reasons such as cell site changes, foliage, bodies of water, construction, population changes, and other interference outside of Verizon’s control.”

Verizon’s letter said Collery could use a network extender “that works like a miniature cell tower to improve voice and data coverage at home.” According to Collery, Verizon told him it would provide an extender but never sent him one and later told him the device was out of stock.

Verizon’s letter to the FCC said: “Mr. Collery received compensation exceeding $400.00 for the inconvenience related to this matter prior to the filing of this complaint. We have indicated that no further credits will be issued concerning this issue.” The letter went on to say that Verizon’s executive office “considers this case as resolved.”

But Collery wasn’t finished. Concerned about the privacy implications of having used an MDM-controlled device, he asked Verizon for records disclosing what personal information was recorded by Verizon’s MDM software. He also wanted details about what commands were issued to the device.

Verizon wouldn’t provide data without legal order

A Verizon executive relations representative told Collery in a May 12 email, “I received word back from the Legal team. In order to provide any details about the MDM, we would require a legal order.”

Collery pointed out in a May 13 email to Verizon that under the California Consumer Privacy Act, companies are required to disclose the personal information they collect about a consumer when the consumer requests that information. Collery also warned Verizon that California’s invasion-of-privacy statute provides for damages of $5,000 per violation.

Trying to end the dispute, Verizon offered to waive Collery’s current device payments. Collery told Ars that a Verizon representative asked him if this would be “enough for me to walk away from this situation.”

Collery didn’t accept that offer and is pursuing his legal options. He sent Verizon a formal request for his data under the CCPA, and plans to file a complaint under the CCPA after giving Verizon time to respond to the data request. He submitted a notice of dispute to Verizon, which is a prerequisite for filing an arbitration case. He is also considering filing a case in small claims court.

“While I am willing to continue to negotiate in good faith, it is difficult to negotiate fairly when Verizon is refusing to disclose basic details that would confirm exactly what information [was] exfiltrated from my device and who at Verizon issued the command to delete all of my personal data,” Collery told Verizon in the May 13 email.

“My service is still abysmal”

Retrieving the deleted data seems like a lost cause. Collery said Verizon advised him to take the phone to a uBreakiFix store, but a uBreakiFix employee was unable to recover any data because of the MDM profile. Quintin said that once MDM is removed from a phone, Verizon probably would not have any other method to extract data from it.

Verizon also said it attempted to find Collery’s original phone, the one he had before receiving the replacement with MDM installed. “I am making a final attempt to see if we can recover your original device so you can attempt to recover information from it. I am not able to make any promises, but I am working with the Warehouse team currently to try to recover it,” a Verizon employee told him on April 24.

Nothing came of that attempt. Even if the original phone had been located, extracting data would have been impossible—if the phone was properly wiped.

To top it all off, Collery said the service problems that spurred him to contact Verizon in the first place were never resolved. Collery said his Verizon service did not improve even after he received the second refurbished phone to replace the demo unit.

“My service is still abysmal,” Collery told us last week. “I can’t even get a GPS signal in front of my building. I usually have to drive at least a few blocks before anything works.”