Disposing of USB sticks and memory cards safely
Every office drawer has them: a tray of conference USB sticks, old SD cards from cameras, microSDs from phones. Mostly unused for years, often containing data nobody remembers. And yet they usually end up in the bin, with the thought "that was probably old and unimportant". That is exactly how data breaches start. A stick from ten years ago can still contain the full quotation database from 2015.
This article explains why formatting or throwing away is not an option, which standard applies to small flash media, and how to dispose of them in bulk.
The technology in brief
USB sticks and SD cards are NAND flash, just like SSDs but with simpler controllers. The same mechanisms apply:
- Wear levelling: data is spread across cells to limit wear. An overwrite does not hit every physical memory location.
- Spare cells: cheap sticks have fewer reserves than expensive SSDs, but typically 5 to 10 percent invisible capacity.
- Poor TRIM: many sticks do not support TRIM at all, so erased data lingers until physically overwritten.
For deeper coverage of this technology, see our article on why overwriting on SSD does not work.
Why formatting is not enough
A "quick format" only touches the file table, not the actual data. A recovery tool like PhotoRec or R-Studio finds the files back within minutes. Even a "full format" on Windows or macOS often overwrites only part of the gross memory, with all the wear levelling caveats.
A format makes a stick clean for the user, not for the forensic analyst. Recovery software finds back within 5 minutes what you thought you erased in 10 minutes of formatting.
What does DIN 66399 say about USB and SD?
USB sticks and memory cards fall under the E-series of DIN 66399 (Electronic media). The levels are identical to those for SSD:
- E-3: particles up to 160 mm². Too coarse for personal data.
- E-4: particles up to 30 mm². Minimum for regular personal data.
- E-5: particles up to 10 mm². Special categories, financial, medical.
- E-6: particles up to 1 mm². Top secret level.
For SMEs E-4 is the standard. For medical records on SD (think microscope images, ECG exports) choose E-5. Healthcare professionals will find more detail in our article on WGBO patient records and data retention.
Four real-world cases
1. The conference stick
A stick from a conference sometimes contains the presentation and harmless information. But users also regularly copy files from their own laptop onto it. Approach: destroy, do not redeploy. The value of a 2 GB stick is lower than the risk.
2. The micro-SD from an old phone
Often contains photos, app data, WhatsApp backups, tokens. Formatting on the phone is not enough. Pull the card from the phone and shred it.
3. The SD card from a camera
Photos of events, sometimes portraits of people who did not consent to publication. Destroy as soon as the card is no longer needed.
4. The corporate USB with quotations
The most risky. Customer data, quotations, internal memos. Always destroy on departure or device rotation.
How to dispose of them in bulk?
Small volumes (up to 10 units) can usually go in a regular HDD or SSD destruction run. For larger volumes:
- Collect sticks and cards in a sealed box. Note where they came from if you still know.
- Do not wait until you have hundreds. Monthly or quarterly inclusion in a mobile shredder run is efficient.
- Request a certificate with the number of units per media type.
- Throw the housings after destruction into regular electronics waste (KGA / e-waste).
Drawer full of USB sticks and SD cards?
We include them in a mobile shredder run and destroy to DIN 66399 E-4 or higher. Certificate per job, no hidden costs.
Request a quoteThe tricky cases
Encrypted USB sticks
Hardware-encrypted sticks (BitLocker-to-Go, IronKey, Kingston DataTraveler Vault) are theoretically protected once the password is forgotten. Theoretically. In practice firmware vulnerabilities keep surfacing, and the GDPR does not ask for "good enough" but for "appropriate measures". Disposing of an encrypted carrier? Still shred, then there is no discussion.
Memory cards in defective devices
An old camera, phone or tablet with built-in memory (eMMC, UFS) or a glued-in card cannot be taken apart. Hand in the whole device with a mobile destruction run. The device goes through the shredder housing and all, which is often faster and safer than dismantling.
Product samples on memory card
Companies that supply prototypes on SD or microSD (firmware, beta software) often leave behind training data or source code by accident. At disposal, shredding the sample card is required, not a soft format.
Certification and evidence
For a small volume certification may seem overkill, but it is part of the job. A destruction certificate for small data media should mention:
- Number of units per category (USB, SD, microSD)
- Total weight
- Security level (e.g. E-4)
- Date and location of destruction
- Unique job number
See our article on the certificate of destruction for a full explanation.
Summary
Small data carriers are disproportionately risky: they often hold sensitive data, they are easy to lose, and they survive formatting effortlessly. The only reliable way to be rid of them is physical destruction per DIN 66399 E-4 or higher. That costs a few euros per stick and gives you the paperwork to sail through any audit.
Time to clear out? Call us or request a quote via desnipperaar.nl. Mobile shredder at your door, certificate per job.