As you have no doubt heard by now, Marriott disclosed a massive data breach that exposed up to 500 million customer records. Hackers accessed information in the company’s Starwood reservation system, which affected brands such as W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, and other properties in the Starwood portfolio, the company said. The intrusion apparently began in 2014, two years before Marriott acquired Starwood. This oversight in the M&A process calls to mind another recent, post-acquisition hacker-surprise: Yahoo, whose two mega-breaches remained undetected when the company sold to Verizon last year. Coincidentally, Marriott’s hack is the biggest suffered by a corporation, second only to those at Yahoo.

After news of the Marriott breach came out, Sen. Charles E. Schumer (D-N.Y.) called on the hotel chain to foot the bill and replace people’s passports which were potentially compromised as part of the breach. Marriott quickly promised to cover the cost for as many as 327 million people whose passport numbers may have been exposed. At a fee of $110 per passport, that would put Marriott on the hook to pay up to $36 billion—a price tag equivalent to the value of the entire company, per its market capitalization. A devastating payout.