Skip to main content
Norvet MSP
Back to Blog
Cybersecurity

FBI Can Read Your Deleted Signal Messages: What This Means for Business

Norvet MSP Team April 2026 6 min read
FBI Can Read Your Deleted Signal Messages: What This Means for Business

Documents revealed that the FBI successfully extracted deleted Signal messages from a seized iPhone.

If you or your team uses Signal — or any encrypted messaging app — because you believe those conversations are private and impermanent, that assumption just got complicated.

This is not a story about whether Signal is trustworthy. It is a story about the gap between what "encrypted" means and what "private" means. That gap has real consequences for businesses, especially those in healthcare, legal, and finance.

What Actually Happened

Signal encrypts messages end-to-end. That means messages in transit cannot be intercepted. When they are delivered and sitting on a device, however, the device's own forensics tools may be able to recover them — deleted or not.

The FBI used mobile forensics software to extract messages from a physically seized iPhone. The key phrase is "physically seized." This was not a breach of Signal's encryption. Signal's encryption held. What the FBI accessed was data at rest on a device they had in their hands.

"Deleted" on a phone often means the file system entry is removed, not the data itself. That data can persist in unallocated storage until it is overwritten. Forensics tools know how to find it.

"Encrypted in transit" and "gone when deleted" are two different guarantees. Signal provides the first. No consumer app reliably provides the second — especially when someone has physical access to the device.

What This Means for Businesses That Use Encrypted Messaging

Many small businesses started using Signal, WhatsApp, or similar apps because they read that these apps are encrypted. They assumed encrypted meant private, and private meant protected.

The FBI extraction case shows that "protected" depends on context. Encryption protects your messages from being intercepted while they travel across the internet. It does not necessarily protect messages from device forensics, cloud backups, or multi-device sync.

Consider a few scenarios that affect businesses directly:

  • An employee backs up their iPhone to iCloud. iCloud backups can include app data. Depending on settings, Signal conversations may be included. - A business uses WhatsApp for client communication. WhatsApp messages back up to Google Drive or iCloud by default. Those backups are not end-to-end encrypted. - A team member has Signal installed on both a phone and a tablet. Messages exist on multiple devices, each with its own forensics exposure. - An employee leaves the company. Their personal phone — with work conversations on it — leaves with them.

None of these scenarios require a government investigation to create a problem. They create data governance problems for any business that cares about confidentiality.

The Difference Between "Deleted" and "Gone"

Deleted on a device means the operating system no longer points to that data. It does not mean the data is overwritten.

Forensics tools like Cellebrite and GrayKey, which law enforcement and enterprise investigators use, scan unallocated storage and recover data that the OS considers gone. This works until the storage space is reused, which can take weeks or months on a device that is not heavily used.

Cloud backups complicate this further. If your messages sync to a cloud backup service and you delete them from your phone, the cloud copy may persist according to that service's own retention policy — which you probably have not read.

Why This Especially Matters for Healthcare, Legal, and Finance

For regulated industries, this is not just a privacy concern. It is a compliance exposure.

Healthcare and HIPAA

HIPAA requires that Protected Health Information (PHI) be transmitted and stored only on platforms with a Business Associate Agreement. Signal does not offer a BAA. Using Signal to discuss patient information — even briefly, even in a deleted message — creates a HIPAA violation.

If that device is ever seized, audited, or forensically examined, those deleted messages become documented evidence of noncompliance. OCR fines for HIPAA violations run from $100 to $50,000 per violation, with annual maximums reaching $1.9 million per violation category.

Legal and Attorney-Client Privilege

Attorney-client privilege requires that communications remain confidential. Using a personal messaging app on a personal device for privileged client conversations creates a question about whether that privilege has been waived or can be reliably asserted.

State bar guidelines on electronic communication vary, but the general principle is that attorneys must take reasonable steps to ensure confidentiality. Relying on a consumer app on a personal device does not meet that standard.

Finance and Government Contracting

SOC 2 compliance requires demonstrating that communication channels are managed and auditable. CMMC — required for Department of Defense contractors — mandates Controlled Unclassified Information be handled on approved systems only. A Signal message discussing contract details on a personal phone is a CUI handling violation.

Best Practices for Business Communications

The answer is not paranoia. It is governance.

  • Use managed communication platforms — Microsoft Teams, Slack for Enterprise, or managed email — for all work-related conversations. These platforms provide the retention, audit, and administrative controls consumer apps do not. - Define and document a retention policy. Know how long messages are kept, where they are stored, and who can access them. - Establish a clear policy prohibiting work communication on personal messaging apps. Document it. Train staff on it. Enforce it. - For regulated industries, ensure every communication platform has the appropriate compliance certifications and agreements (HIPAA BAA, SOC 2 report, FedRAMP authorization where required). - Conduct periodic audits of what platforms employees are actually using versus what your policy says they should use. Shadow communication apps are as real as shadow IT.

Norvet Sets Up Compliant Communication for Regulated Businesses

We configure and manage compliant communication environments for healthcare practices, law firms, financial services firms, and government contractors across the Atlanta metro and Clayton County.

That means the right platforms, the right retention settings, the right access controls, and the documentation your compliance auditor needs. It also means MDM policies that keep work communication in managed channels and out of personal apps.

If your team is using Signal, WhatsApp, or personal SMS for work communication — particularly if you are in a regulated industry — that is a risk you can close with the right setup.

Contact Norvet MSP at norvetmsp.com to schedule a communication compliance review. We will show you exactly where your current setup creates exposure and what it takes to close it.

Source Attribution

Article content used with permission from The Technology Press and adapted for Norvet MSP publishing.

View source article

Need help with Cybersecurity?

Our cybersecurity team helps businesses like yours stay protected with 24/7 threat monitoring, compliance frameworks, and incident response.

Get a Free QuoteOr start with a free IT assessment

Related Articles

The Backup Exit Strategy: Can You Move Your Data Without the Vendor's Help?
Cybersecurity

The Backup Exit Strategy: Can You Move Your Data Without the Vendor's Help?

Read more
Clean Desk 2.0: Securing Your Home Office from Physical Data Leaks
Cybersecurity

Clean Desk 2.0: Securing Your Home Office from Physical Data Leaks

Read more
The Session Cookie Hijack: Why MFA Can't Always Save You
Cybersecurity

The Session Cookie Hijack: Why MFA Can't Always Save You

Read more