Remote Wipe Is Not Data Destruction: What Your MDM Cannot Do and What Happens to Devices After the Wipe
In March 2026, Iranian hackers broke into Stryker, the US medical device company, and remotely wiped tens of thousands of employee devices. In May 2026, Instructure paid a ransom to the ShinyHunters gang and received what the criminals called "shred logs confirming data destruction" as proof that 275 million student records had been deleted.
Neither event produced certified data destruction.
In Stryker's case, the wipe was an act of sabotage carried out by attackers, not a compliance measure. In Instructure's case, the "proof" came from the criminal group that had stolen the data, and carries precisely zero forensic or legal value. Both cases put a spotlight on a distinction most organisations have never clearly drawn: the difference between wiping a device to secure it on the network and destroying the data on it to satisfy your obligations when the device leaves your control.
Your MDM tool is designed for the first job. It was not designed for the second.
Key takeaways
Remote wipe via MDM (Microsoft Intune, Jamf, Kandji, Workspace ONE) removes user-accessible data. It does not reach SSD over-provisioned cells and produces no Certificate of Destruction.
Criminal "shred logs" from a ransomware payment have no legal or forensic value as data destruction evidence.
UK GDPR Article 32 requires demonstrable appropriate technical measures. A remote wipe command produces no evidence.
NIST SP 800-88 Rev. 2 Purge is the minimum standard for any device leaving organisational control.
MDM wipe and certified data destruction serve different purposes. Both are necessary. They are not substitutes for each other.
What a remote wipe actually does
A remote wipe command sent through your MDM platform instructs the device to restore itself to factory settings and remove the user's data from the areas of storage the operating system can access. On a smartphone, it removes contacts, messages and apps. On a laptop, it removes user profiles, local files and configuration.
This is genuinely useful for active device security. If a device is lost or stolen, a remote wipe prevents the person who finds it from using it immediately. If an employee is terminated, a wipe removes their access. These are real security controls with real value for devices still in the network or in active circulation.
What a remote wipe does not do is address the full storage medium. On a solid-state drive, wear-levelling technology spreads data across more cells than the visible storage capacity, and maintains an over-provisioned reserve of cells that the operating system cannot directly address. A remote wipe command from an MDM tool writes to the logical storage the device reports. It does not instruct the drive's firmware to erase the reserve. Data that migrated to the over-provisioned reserve during the drive's operation remains there after the wipe, untouched.
It also produces no Certificate of Destruction, no serial-level record, no audit trail and no document that satisfies a regulatory inquiry.

The four wipe methods that do not satisfy GDPR
Most organisations use one or more of these and believe they have data destruction covered.
MDM remote wipe. Removes data from user-accessible storage. Does not reach SSD over-provisioned cells. Produces no certificate. Does not satisfy NIST SP 800-88 or UK GDPR Article 32 for devices leaving your organisation.
BitLocker encryption then format. Encrypting a drive and then formatting it is a common approach that seems logical. The problem is that if the encryption key exists anywhere, the data is potentially recoverable by anyone with access to that key. True cryptographic erasure requires destroying the key in a verifiable, documented way and confirming the key cannot be recovered. A simple format after BitLocker is not that.
Factory reset from device settings. As covered in our previous piece on data recovery science, a factory reset removes the file system index and marks sectors as available. The underlying data remains on the medium until physically overwritten. On SSDs, it does not address the over-provisioned reserve.
Criminal shred logs or ransom payment receipts. Instructure paid a ransom and received shred logs confirming data destruction from the same group that had stolen the data. There is no scenario in which a certificate from the party that stole your data constitutes evidence of compliant destruction. This is worth stating plainly because some organisations have interpreted a ransom payment as closing the incident. It does not close the data protection obligation.
What the comparison actually looks like
The table in the infographic above lays it out directly. A remote MDM wipe removes user data from accessible storage, which is one point in its favour. On every other dimension: reaching SSD over-provisioned cells, satisfying NIST SP 800-88 Rev. 2, producing a Certificate of Destruction, creating a serial-level audit trail, satisfying UK GDPR Article 32 and being accepted by the ICO as evidence, a remote wipe fails on every count. A certified NIST Purge or physical destruction passes on every count.
These are not competing approaches. They serve different moments in a device's life. Remote wipe is for the active security phase. NIST Purge or Destroy is for the disposal phase. The mistake is assuming that one replaces the other.
What the regulatory expectation actually is
Most breaches in 2026 were preventable, with root causes including employees falling for phishing attacks, cloud platforms deployed without proper security controls, organisations detecting attacks too late, and without incident response practice, attacks escalating quickly. The ICO's enforcement pattern across 2025 and 2026 shows the same expectation repeated in every penalty notice: organisations must demonstrate appropriate technical measures under Article 32. A remote wipe command, with no certificate, no standard named and no serial-level record, does not demonstrate anything. It is an action without evidence.
When the ICO investigates a data protection incident and asks for proof that devices containing personal data were securely destroyed, the answer must be a Certificate of Data Destruction naming every device by serial number, confirming the sanitisation method applied, naming the standard (NIST SP 800-88 Rev. 2 at minimum) and signed by the certifying party. An MDM activity log showing a wipe command was sent is not that document.
The practical implication
Remote wipe stays in your process. It should be part of your offboarding flow, your lost-device protocol and your BYOD policy. That does not change.
What needs to be added is a certified end-of-life disposal step for every device that leaves your organisation permanently, whether through a refresh cycle, a leaver, a site closure or a data centre decommission. That step requires a certified ITAD partner, NIST SP 800-88 Purge level sanitisation, a serial-level Certificate of Destruction and, from Q4 2026, a DEFRA Digital Waste Tracking consignment reference on every certificate.
The Stryker devices wiped by Iranian hackers in March 2026 were wiped as an act of sabotage. Stryker's compliance team still needs to account for every one of those devices when they leave service. A hostile wipe command does not close the data protection obligation on the hardware. It just makes the IT team's week considerably worse.
Retire your IT. Recover its value. Prove it is gone.
NanoSoft provides certified IT asset disposal that closes the gap your MDM leaves open. Every device processed through NIST SP 800-88 Rev. 2, every drive certified individually by serial number, every job producing a Certificate of Destruction that satisfies the ICO, the FCA and a Cyber Essentials assessment. ISO 27001 certified, ADISA accredited, DEFRA DWTS ready from Q4 2026.
Contact NanoSoft: services@nanosoftltd.com | 0800 677 1344 | Unit 8 & 9 Maldon Trade Park, Heybridge, Maldon CM9 4LJ, UK
NanoSoft Team
Writer at Nanosoft - covering ITAD, data security, and sustainable technology lifecycle management.
Found this useful? Share it.



