A hacker broke into the servers of toymaker VTech last month, compromising the personal information of millions of children and adults. While the consequences of the hack are still unclear, police now have a suspect. Authorities have arrested a 21-year-old man in the UK on suspicion of crimes related to unauthorized access to a computer, reports the BBC.

“We are still at the early stages of the investigation and there is still much work to be done,” said officials in a statement.

The hack in question alarmed consumers—and especially parents—because it targeted children’s learning and messaging toys and exposed information like photos and chat logs. The CEO of VTech, which is based in China but sells its toys around the globe, said earlier this month that the company would keep its websites offline until it had a better idea of what happened.

The hack was originally reported by the technology news website Motherboard, which heard firsthand from the hacker, who claimed he had no malicious intentions and would not release the data. Skeptics, however, warned the hacker should not be trusted and noted how stolen data can fetch money in underground markets.

For technology enthusiasts and parents, the breach of the toys points to the peril of the “Internet of things,” where everything is connected online, but companies may be unable to secure their platforms from hackers and criminals.

Currently, VTech is working with the U.S. cyber security firm FireEye FEYE to investigate the hacking incident.

The toymaker is also facing a class action suit from U.S. consumers over alleged privacy violations tied to products including the InnoTab 3, InnoTab 3S Plus, InnoTab 3S, the Tote & Go Laptop, MobiGo, ABC Learning Classroom toys; as well as the Kid Connect, Learning Lodge, and PlanetVTech services.

If the CIA isn’t safe from hackers, nobody is. See how the agency’s director was hacked in this Fortune video:

Subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.