An investigation by Taiwan’s National Communications Commission (NCC) has found as many as 12 smartphone vendors’ handsets don’t comply with privacy regulations and could allow the makers to capture data without a user’s permission.

The NCC kicked off an investigation in August after China’s Xiaomi was accused by researchers and a government agency in Taiwan of sending unauthorised user data back to its servers in Beijing.

NCC has reportedly only identified three of the 12 — Apple, Samsung and Xiaomi.

An NCC official said today that the vendors would be subject to fines of as much as TWD200 million ($6.4 million) or bans in Taiwan unless they resolve the privacy violations, Reuters reported. The NCC said it will release the full results once the investigation is completed in a few weeks.

Privacy breaches, particularly losses of customer passwords and banking/credit card data, have become an increasing global concern for tech companies worldwide after numerous high-profile leaks. Some of the top breaches over the past year, which affected five to 110 million customers each, were at Snapchat, South Korea’s KT, and Target and JPMorgan Chase in the US.

In early October, in response to pressure from the Chinese government to improve security of customer data, Apple started hosting mainland users’ data on its iCloud service on China Telecom servers.

Two weeks later Xiaomi said it would move non-Chinese user data from China-based servers to Amazon servers in the US and data centres in Singapore. The company said the move was driven by performance and privacy issues.