I heard from many readers last week who were curious why I had not weighed in on the massive (and apparently still unfolding) data breach at the U.S. Office of Personnel Management (OPM). Turns out, the easiest way for a reporter to make sure everything hits the fan from a cybersecurity perspective is to take a two week vacation to the other end of the world. What follows is a timeline that helped me get my head on straight about the events that preceded this breach, followed by some analysis and links to other perspectives on the matter.
OPM offices in Washington, DC. Image: Flickr.
July 2014: OPM investigates a breach of its computer networks dating back to March 2014. Authorities trace the intrusion to China. OPM offers employees free credit monitoring and assures employees that no personal data appears to have been stolen.
Aug. 2014: It emerges that USIS, a background check provider for the U.S. Department of Homeland Security, was hacked. USIS offers 27,000 DHS employees credit monitoring through AllClearID (full disclosure: AllClear is an advertiser on this blog). Investigators say Chinese are hackers responsible, and that the attackers broke in by exploiting a vulnerability in an enterprise management software product from SAP. OPM soon suspends work with USIS.
November 2014: A report (PDF) by OPM’s Office of the Inspector General on the agency’s compliance with Federal Information Security Management Act finds “significant” deficiencies in the department’s IT security. The report found OPM did not maintain a comprehensive inventory of servers, databases and network devices, nor were auditors able to tell if OPM even had a vulnerability scanning program. The audit also found that multi-factor authentication (the use of a token such as a smart card, along with an access code) was not required to access OPM systems. “We believe that the volume and sensitivity of OPM systems that are operating without an active Authorization represents a material weakness in the internal control structure of the agency’s IT security program,” the report concluded.
Dec. 2014: KeyPoint, a company that took over background checks for USIS, suffers breach. OPM states that there is “no conclusive evidence to confirm sensitive information was removed from the system.” OPM vows to notify 48,439 federal workers that their information may have been exposed in the attack.
Feb. 2015: Health insurance giant Anthem discloses breach impacting nearly 80 million customers. Experts later trace domains, IP addresses implicated in attack to Chinese hackers. Anthem offers two years of free credit monitoring services through AllClearID.
May 2015: Premera Blue Cross, one of the insurance carriers that participates in the Federal Employees Health Benefits Program, discloses a breach affecting 11 million customers. Federal auditors at OPM warned Premera three weeks prior to the breach that its network security procedures were inadequate. Unlike the Anthem breach, the incident at Premera exposes clinical medical information in addition to personally identifiable information. Premera offers two years of free credit monitoring through Experian.
May 2015: Carefirst Blue Cross discloses breach impacting 1.1 million customers. Clues unearthed by researchers point to the same attack infrastructure and methods used in the Anthem and Premera breach. Carefirst offers two years free credit monitoring through Experian.
June 2015: OPM discloses breach affecting up to 4 million federal employees, offers 18 months of free credit monitoring through CSID. Follow-up reports indicate that the breach may extend well beyond federal employees to individuals who applied for security clearances with the federal government.
ANALYSIS
As the OPM’s Inspector General report put it, “attacks like the ones on Anthem and Premera [and OPM] are likely to increase. In these cases, the risk to Federal employees and their families will probably linger long after the free credit monitoring offered by these companies expires.”
That would appear to be the understatement of the year. The OPM runs a little program called e-QIP, which processes applications for security clearances for federal agencies, including top secret and above. This bit, from a July 10, 2014 story in The Washington Post, puts the depth and breadth of this breach in better perspective:
“In those files are huge treasure troves of personal data, including “applicants’ financial histories and investment records, children’s and relatives’ names, foreign trips taken and contacts with foreign nationals, past residences, and names of neighbors and close friends such as college roommates and co-workers. Employees log in using their Social Security numbers.”
That quote aptly explains why a nation like China might wish to hoover up data from the OPM and a network of healthcare providers that serve federal employees: If you were a state and wished to recruit foreign spies or uncover traitors within your own ranks, what sort of goldmine might this data be? Imagine having access to files that include interviews with a target’s friends and acquaintances over the years, some of whom could well have shared useful information about that person’s character flaws, weaknesses and proclivities.
For its part, China has steadfastly denied involvement. Politico cites a news story from the Chinese news service Xinhua which dismissed the U.S. allegations as “obviously another case of Washington’s habitual slander against Beijing on cybersecurity.”
“It also pointed to the information disclosed by former NSA subcontractor Edward Snowden, saying the U.S. itself is guilty of ‘large-scale, organized cyber theft, wiretapping and supervision of political figures, enterprises and individuals of other countries, including China’,” Politico‘s David Perera writes.
There are some who would say it is wrong or at least foolhardy to dwell on forensic data and other clues suggesting that hackers closely allied with the Chinese government were involved in these attacks. Indeed, there is a contingent of experts who argue that placing so much emphasis on attribution in these sorts of attacks is a diversion that distracts attention and resources from what really matters: learning from one’s mistakes and focusing on better securing and maintaining our critical systems.
As part of my visit to Australia (and then to gorgeous New Zealand) these past few weeks, I was invited to speak at two separate security conferences. At one of them, my talk was preceded by a speech from Mike Burgess, chief information security officer at Telstra, Australia’s largest telecom provider. Burgess knows a few things about attribution: He is an 18-year veteran of the Australian Signals Directorate (formerly the Defence Signals Directorate and the Australian equivalent of the U.S. National Security Agency).
In his speech, Burgess railed against media reports about high-profile cyber attacks that created an atmosphere of what he called “attribution distraction” and “threat distraction.” A reporter with ZDNet captured Burgess’s thoughts with this quote:
“Don’t get me wrong….I’m not saying that attribution isn’t important. I’m not saying that issues of source, great technical intelligence, and other forms of intelligence to understand the threat and the intentions of those looking to steal information from you, or disrupt your organisation for some purpose that may be unknown to you, [are not important].”
“But what I observe, what I fear, what I see too much of, is many commentators, many in the industry, and many in media, focus on attribution, with very little focus on the root cause. No-one should lose valuable information where at the root cause there is a known remedy. For me, that is unforgivable in this day and age. And I’ve got to tell you — my view at least — too much of this distraction around attribution takes away from focusing on what’s really important here.”
There is, no doubt, a great deal of wisdom in Mr. Burgess’s words. After all, OPM clearly could have been doing much more to beef up security around its very sensitive stores of data. But perhaps Burgess was onto something for a different reason: At least as it relates to the United States’ tenuous relations with China, having strong indicators of attribution in an attack of this magnitude puts the White House rather publicly between a rock and a hard place.
As The New York Times writes, the Obama administration now finds itself under pressure to respond in some way, and is reportedly considering financial sanctions against China. But as The National Journal wryly observes, this is a bit of an awkward position for a government that hardly holds the moral high ground when it comes to spying on and hoovering up data from foreign governments.
“That’s partially because in the two years since Edward Snowden’s leaks about U.S. surveillance, the Obama administration has repeatedly argued that hacking into computer networks to spy on foreigners is completely acceptable behavior,” writes Brendan Sasso. “It won’t be so easy for the U.S. to express indignant outrage just because it’s on the opposite side of the surveillance this time.”
If you’re affected by these breaches and wondering what you can do to protect yourself besides signing up for credit monitoring services, please see this story.
Like your sense of humor, and yes you were missed Brian. Keep up the good work.
Could it be that the bad guys…whomever they are placed false information? To make someone appear as a “good” guy to place a spy in our midst?
I’ve been thinking about this for months, since the first reports of OPM breakins were reported, along with other hacks of government services. To the best of my knowledge there are companies that have never been hacked on a large scale basis, such as Google, Apple, Amazon or Microsoft. Yes, individual accounts have been hacked, but that can be attributed poor security on the user’s side in every case I have followed. (I exclude Yahoo and AOL, because I have seen compelling evidence that they HAVE been hacked, although there was little publicity about it.)
Perhaps government agencies should subcontract storage of their sensitive data to businesses that know how to protect it?
apple headquarters, facebook, microsoft headquarters, were hacked at the same time a couple years ago. although MS didn’t admit it until a week or two later. Noone knows what the attackers did, but they believe it was eastern europeans in all 3 cases.
There might be a more fundamental concern instead of who hacked whom. How about who decided to put such personally identifiable information (PII) on line in the first place?
Once a person or company has a security clearance the background information used to get that clearance should be archived … securely, deeply and not connected to the rest of the world.
In the ‘old days’ if you wanted information you had to contact the people with pocket protectors who worked in very cold rooms with removable floors. Much has changed, but the need to keep information away from almost every eyeball in the world has not.
There has to be a better way.
Jonathan @nc3mobi
PS: Welcome back – I was wondering where my KOS went! New Zealand is great, is the 8:1 sheep:person ratio still in effect? Can play hob with a drive outside the city.
+1
I really like the criticism about attribution – especially since no information is given on how the trail led to the suspects. In the years since my gateway was first attacked by China sources (2005), they have become better and better about subverting this source, but are still pretty arrogant about their process. Arrogance leads to mistakes; but I wasn’t born yesterday, and I wonder sometimes if some other interest in the PRC, or perhaps even some other actor outside of China, wants it to look like it is coming from these faceless concrete buildings just outside of Shanghai.
Same thing over and over Breach, notification, canned response, credit monitoring, endless news coverage repeat again.
ThreatConnect says that the OPM was breached with Windows exploits.
Windows exploits have been the cause of the vast majority of major security breaches: Google, RSA, Mandiant’s analysis, and so forth.
Brian has warned people away from Windows because of its terrible security:
The OPM’s terrible security owes as much to its lack of database encryption as it does to its reliance on Windows and allowing Windows-based computers on its network.
In one sense, you’re totally right Roger – running windows is a huge issue (especially since we know Microsoft has cooperated with the NSA on leaving security exploits out in the wild at the NSA’s request).
In the other sense, its because Windows has 85% user marketshare that it is attacked and exploited so extensively. If Linux had the 85% it would be getting the attention and attacks, same if it was Macs.
If you have data bad guys want (or even our own NSA) they will get it no matter what platform you are on. Would the Chinese or Russian’s have done this if OPM’s users & servers were running Linux? Almost certainly.
IMO the O/S has nothing to do with it, windows is just way more popular. It can be argued linux is less secure, especially with shellshock and opencl malware, and other discovered known vulnerablilites in the past two years. Its all about what programs you run and how targeted you are and how hardened you made the box.
Whats alarming to me is the fact that they had identies of people in secret intelligence communities, yet didn’t seem to implement any real security on the data. Thats embarrassing.
I can pretty much guarantee that these Windows Exploits you speak of can be mitigated by better credential hygiene.
If you segregate your high value user accounts and machines and with privilege (think Domain Admins and domain controllers) to keep them from logging into less high value systems (general purpose servers and workstations) and vice-versa the problem would be almost non-existent.
So,if a bad actor gets on to a plain old workstation or server, they have almost no chance of accessing high value systems and credentials with all the juicy data.
It’s not a Windows issue, this same theft of credentials can happen on all the other popular systems as well. As someone else stated, Windows has the biggest market share, hence is a bigger target.
This is not a Windows issue (as the others point out), it’s an issue of organisations and people that appear not to work. Maybe humanity, organisations and individuals should work hard to hold less data, in these vulnerable places.
ThreatConnect says that the OPM was breached with Windows exploits.
Windows exploits have been the cause of the vast majority of major security breaches: Google, RSA, Mandiant’s analysis, and so forth.
Brian has warned people away from Windows because of its terrible security:
The OPM’s terrible security owes as much to its lack of database encryption as it does to its reliance on Windows and allowing Windows-based computers on its network.
Roger,
The reason malicious developers focus on building malware for windows is that windows runs on 80% of the worlds desktops. Few desktops at homes or on desks is running Linux, but if they did, hackers would target those machines. It isn’t that there are not vulnerabilities to be exploited in Linux, it is that there are fewer targets running Linux. If a hacker identifies a a target, he or she will footprint them and determine what systems they are running and then enumerate them to identify the exact versions of hardware and software they are running. Sophisticated hackers will create their own malware for each hack taking advantage of any vulnerability they can find and there are tens of thousands that can be exploited with new ones being identified and published ever day.
Windows is not inherently insecure. Any operating system can be poorly configured and most are. Furthermore, technology is not the problem, it is users. Almost every attack exploits a user by way of social engineering. Take for example the Target breach last year. The attackers gained access to the enterprise using the HVAC vendor to gain physical access to the data systems and upload their malware. That means there was a physical vulnerability that was exploited and has nothing to do with the OS.
Tom
Are you the same Fred that is listed here?
https://ephemer1c.wordpress.com/2015/05/19/scamming-the-scammer/
your fishing in the wrong pool, friend.
That’s almost a great photo from New Zealand. Just get the geeky guy out of the way 😛
🙂
Dept of Interior’s Interior Business Center hosted OPM. Is running a supposedly secure and modern data center really a DOI core competence?
Although this has been a reoccurring event over the last few years and this administration is not totally responsible, the blame has to go to the top. Government has never been good at anything they take on, but they are extraordinarily bad at computer security. I can’t say anything good about the current government in charge of the USA. The entire last 6 years has been one of incredible incompetence, stupid blunders and failures on a global scale. It comes as no surprise that efforts were not made to plug security holes in US government computer networks, even after they get burned over and over again. They do nothing significant to stop the breaches. The US spends enormous amounts of money on asinine social issues and foreign aid, but is reluctant to spend what it costs to actually protect the country from all threats, foreign and domestic, which is the ONLY thing the Federal government is really responsible for. The IRS still using WIN XP? Are you kidding? Congress won’t pass legislation to harden the electrical grid against an EMP event? It just goes on and on with no end in sight. This will not be the last display of arrogant incompetence by our leaders but the next one just might be catastrophic.
I 100% agreement with your statements. The governments is wasteful, incompetent, inefficient and reactive rather than proactive. I also think that if they can’t protect the electronic personal ID information then it shouldn’t be stored electronically online but the old fashioned way of in paper files. Doubt the Russians and Chinese thieves could steal those docs as easily.
OMG
Who seems to have the most to gain from this type of hacking? Credit monitoring services. I wouldn’t put it past any organization in this day and age.
The credit monitoring agencies must be doing very good business with all these breaches.
Brian, I tried to donate a small amount of bitcoin to you, but your “Donate Bitcoins” link takes me to Coinbase, which displays a “Checkout not found” error.
Anyway, thank you for all the work you do.
China stole yo bitcoins! 😛
I suppose most Government offices are using some kind of Firewall software, etc. Obviously those brands are not working.
Is there any way to know which one is being used where?
This is very depressing reading. I and many people I worked with are in the eQIP database. We used to submit applications/updates via paper or Microsoft Word electronic files. Then recently via the Internet and soon after the first breach of it occured.
Some basic rules should have been followed.
1. There should be no physical connection between it and the Internet.
2. All data should be encrypted and the keys properly safeguarded. (I am assuming this was not done.)
Even though the horse has bolted the barn door, there needs to be a very serious effort to protect this database. I had hoped to visit China to see some of the cultural and historical wonders there as a tourist but now I worry that I may get pulled out of line at an airport and interrogated or imprisoned.
God knows what other dangers I may face even here domestically. My home may be physically targetted, my home computers and network may become completely compromised, etc. It’s really a nightmare.
> I had hoped to visit China to see some of the cultural and historical wonders there as a tourist but now I worry that I may get pulled out of line at an airport and interrogated or imprisoned.
Wow, had not even thought of that angle.
Maybe it’s time we abandoned the One Identity Per Person principle.
> I had hoped to visit China to see some of the cultural and historical wonders there as a tourist but now I worry that I may get pulled out of line at an airport and interrogated or imprisoned.
Wow, had not even thought of that angle.
Maybe it’s time we abandoned the One Identity Per Person principle.
Uh oh, I had completely forgotten about e-QIP! That’s the third one for me in the past 4 years.
Word is that the breach was discovered during a live demonstration by a vendor of network monitoring software that looks for data intrusions etc. – would love to have been a fly on the wall during that.
Condolences to all the govt employees and applicants who have had their secret level background check information hoovered up by the Chinese or Russians or whomever did this.
There’s the article:
http://arstechnica.com/security/2015/06/report-hack-of-government-employee-records-discovered-by-product-demo/
“…hardly holds the moral high ground when it comes to spying on and hoovering up data from foreign governments…”, The National Journal
Records of 11 million Premera Blue Cross—, 1.1 million Carefirst Blue Cross—, 80 million Anthem citizens is unlike Government-to-Government evesdropping or conducting hacking investigations of international criminals. I have yet to see evidence (or any reports) that anyone in the US is conducting organized hacking for financial or personal information other than Government-to-Government evesdropping or conducting hacking investigations of criminals, unless they themselves may go before judicial processes, unlike what is being taken from U.S. computer systems (in breaches) within the non-government–that’s a “higher ground” for the U.S. Government, in objection of what The National Journal states.
I guess when people say we Americans are exceptional they are referring to our exceptional naiveté.
When are we going to learn that is NOT where you store your information, the secret is how do you protect your access to that data!
The weak link is always the access, even if the data is encrypted at rest!
If the access is compromised, the access to the information even if encrypted (which usually goes hand in hand with the access rights) is possible. Do we still believe that LogonID and Password is the ultimate way of securing access?
Seriously!
Joe, exactly!
Government systems are compromised over and over with limited or no effort to stop it. When you spend taxpayer money you have no incentive to be competent or efficient. Golf and late night talk shows are important though. The next breach, and there will be one, may be catastrophic.
So of course you had to come to New Zealand the one time I’m out of the country and can’t get my copy of your book autographed. Could you come by again in August some time?
Every time I read about the latest of these breaches, I’m left with the same thought. Surely the NSA, CIA, or whoever are doing the same thing to foreign governments that they keep doing to us. Are they getting away with it, suppressing the news coverage in places Americans would likely notice it, or what?
Too bad the NSA is so consumed with combing through our every conversation. If they had a little more time, and given their massive and costly resources, maybe they could focus a little on improving the security of US online resources.
“Free credit monitoring?”…Just tell me who is paying for that service other than you and I?….It is not “Free”…deduct any and all costs from the salaries of those that were elected or entrusted to protect the information. Any business agency; federal or not that stores unencrypted SS# should be fined or held accountable for each SS# “Lost” in a breach. $10,000 minimum for each SS#…paid to the SS# HOLDER…NOT to the Attorney General, State or government…The AG and courts work for You and I …not to fill their own slush funds…that is nothing but another way of taxing….Where do all those big fines go..did you ever see any accountability of those fines….any improvements in reducing breaches?…Congress…the so called Lawmakers only create complex laws such that their kickback law firms and lobbyist make money off our backs…WE THE PEOPLE need to write a law and force the CONGRESS to truly represent US to pass the law to protect us from the scams of government that continues day after day…we are no longer represented by the electorates ..its time to take ACTION…one way or the other…I elect Brian Krebs to draft an all encompassing law on data security…Brian…make it short and direct…no holds barred….what say you all?
Any government data that must be protected from hackers must be isolated from the internet by an “air gap”. There must be NO connection wired or wireless between the sensitive government network and the internet. This also means that there is NO access to the government network by any device that also has access to the internet. And finally, any device that has access to the government network must not have a removable storage device such as a thumb drive or a disk drive.
How they are going to spy on the Internets then?
Frank,
I disagree. We have the ability to build and implement adequate security controls if we follow know standards and best practices. How often do organizations really perform auditing of trusted agents? The answer is rarely if at all but there are numerous standards published by the NIST that recommend regular audits be done as frequently as needed depending on the sensitivity of the data. However, the reality is that you can ask most systems administrators when the last audit was done on their accounts and they will tell you “never”. That is a major cause for the Snowden incident. Just offering another perspective.
Tom
I agree with Mike Burgess completely. Focusing on attribution only shifts focus from identifying corrective actions necessary to prevent breaches. The root cause of the vast majority of breaches, like this one is that security engineering is not given the attention it should. Most government PM’s and contractors treat C&A as a paper drill and do not actually build security controls into systems. Case in point, the PII data in OPM breach we now know was not encrypted as is it recommended in the NIST publications. That is a failure on the part of the IA team and not the fault of any foreign entity.
I concur. It’s also worth noting though that while the OPM was storing highly sensitive data on behalf of the federal government they are still pretty much a civilian operated organization and not even remotely comparable to entities like NSA, DIA, DHS, CIA, or others. However, they are still subject to all of the same or worse bureaucracy without any of the added benefits of a proper budget that would be afforded to one of the more “mission critical” organizations.
There are many problems that need to be addressed on many different levels in many different organizations. But the fact that we have the knowledge required to do a better job and are still unable to do so is quite telling of something more endemic to most governments around the world and not just our own. The size and complexity of an entity is often proportional to its agility and when working with something as fluid and granular as cyber security it is absolutely vital that you have all of the proper capabilities required for your information assurance mission.
OPM apparently made several mistakes but there were many other failures here and like Mike Burgess said, attribution, while important, is a potential distraction from other equally or even more serious problems.
As someone who has actually interviewed for a Systems Administrator position w. DHS to support THEIR system of mass digital consumption referred to as Einstein 3 https://en.wikipedia.org/wiki/Einstein_(US-CERT_program)
I asked a few FUNDAMENTAL questions and in the end, it was not worth it to me to go there for my career.. here are a few of the astonishing things I discovered when I started interviewing these yayhoos!
1. Do you have a login doman such as Active Directory w. CAC login? No.
2. Do you use SCCM to run your automated patches? No.
3. Do you run regular scans of your network systems w. such tools as Retina? No, we have a “homegrown script” that another sysadmin created that we run.. he is no longer here.. but it creates a log file and we run it against the STIGS and TCNOs from DISA.
At this point, my mind said.. fuck this place. LOL!
Its not the media focusing on attribution, its the government agencies themselves!!! They keep making these bold faced claims about North Korea or China, without ever having any real proof.
Keeping systems vulnerable to spy on people seems to be more their top priority then making systems hardened. Which hurts our country way more then it helps us. Our government and industry leaders should be teaching people how to protect their networks. Not talking people out of security so tech support costs less, or for more ad targeting, or so spying on our own citizens is easier. This goes for both commerical entities and government entities. IMO noone talked anybody out of using security tools in the 90s, before these popular tools all became deprecated and unpopular. And whats ironic is nowadays systems are way more vulnerable and the planet is getting more hacked. The government wants us to believe any type of sophisticated hack has to be nation state sponsored. Meanwhile you got these hackers for hire, that are young kids, that can get into anybodies system.
It makes you wonder if this was really the chinese, or someone giving them a taste of their own medicine.
Imagine having whole identity info and background checks on intelligence employees. Whats even scarier is how we are not even shocked by this type of thing anymore, nor have we taken a single step to improve our nations cyber security at all…..The government better figure out ways to attract some imaginative and creative young individuals into their ranks because thats what we are lacking. we need them on our side or WE’RE DOOMED!
I found this to be the most disturbing.. ” The Office of Personnel Management, Federal Investigative Services (OPM-FIS,) provides investigative products and services for over 100 Federal agencies to use as the basis for suitability and security clearance determinations as required by Executive Orders and other rules and regulations. OPM provides over 90% of the Government’s background investigations, conducting over two million investigations a year. Access to information relating to the background investigation process is critical to the Federal Government’s development in personnel security and suitability. The OPM-FIS conducts background investigations on Federal applicants, employees, military members, and contractor personnel for suitability and security purposes.” <– Why so many eggs in one basket?
There’s a general belief that you don’t want to spend a lot of resources reinventing the wheel.
OPM = Office of Personnel Management. In principle, and probably per statute (i.e. blame Congress if you disagree), OPM should be responsible for hiring oversight.
Do you really want 100+ different HR departments each with their own slightly different implementation of standard policies?
Companies generally have a centralized HR, they save money by doing this, and instead of a person only doing 1 hire / month, that person does a couple of hires / day, and gets pretty good at it.
The mistake isn’t in centralizing human resources.
There’s definitely a failure-to-airgap error.
Hiring records should not be on the network. There should be a backup system (also not on the general network). And there should be a way for people involved in hiring to import non-executable data into their database, and to generate and export reports to return to the general network, but the data itself should remain air-gapped.
Note that encryption is useless in most of these cases. If you encrypt the data, then either no one can access it (making it unusable for the desired purpose), or anyone who has access (for the desired purpose) can be exploited to exfiltrate the data.
Encryption is not useless in these cases. If properly managed it buys you at least three important things.
1. Partitioning of the data. If you use 100 different keys with each enciphering 1% of the data then if a key and a large portion of your encrypted data are stolen only 1% of your information is exposed. For this to be effective keys have to be protected either by other keys or ultimately by tamperproof hardware (or storage in a safe and used only under proper authority).
2. In a digital world the only realistic way to enforce mandatory controls on data access is by encryption. If you are allowed by a policy to access the data then you will get the key, otherwise no dice–even if you are compromised by an APT or malware. And #1 still applies, because no user should be authorized to access all the data. Also, no administrator should ever be authorized to access user data. To mitigate a malicious user saving keys, the data can be re-encrypted periodically with a new key.
3. It aids in-after-the-fact security breach analysis. Logs of which user account got which key for what data can be analyized to determine the scope of the breach and how long it has been occurring. This is much more difficult without cryptography. This assumes the logs are stored securely and tampering with them is made extremely difficult to do.
In sum, properly engineered systems utilizing cryptography can dramatically reduce the surface area of the software that can be successfully compromised to steal data.