Eavesdropping on backups (see CR213-Backup)
Database correlation by colluding entities (solution: do not leak correlation handles, i.e. use pseudonyms - see Architecture, Core Security Architecture, Access Credentials, Pull Model)
IdP collects traffic analysis (and then sells or illicitly use it). Some counter measures:
TN wide data retention policy, audit this: add compliance requirement
Pure play IdP operator vs. mixed functions
Centralized IdP well managed may be a good idea
Disco collects traffic analysis (and then sells or illicitly use it)
Traffic Analysis by Third Party
Correlation handles of audit trail will also become correlation handles.
If WSC parties keeps log of User's pseudonym along with encrypted form of User's identifier at WSP, then WSC and WSP can correlate and collude using the encrypted form. However this threat is acute only between directly interacting parties. In a chain of web services calls longer than 3, the nonneiboughring parties are not in position to collude using this attack.
Current solution is to forbid logging the tokens, see CR53-DontLogTok.
Tricking user to reveal PII through phising attack that poses a real looking web page to solicit PII. See also access version of the threat: T111-Phish.
Social Engineering, talking users to revealing PII. See also access version of the threat: T112-SocEng.
Network eavesdropping to record PII.
Keyboard logger or other malware to record credentials.
PII theft, e.g. copy private contact book, using malware.
Physical theft of PII.