The writer, a Los Angeles freelancer and former Detroit News business reporter, writes a blog, Starkman Approved.
By Eric Starkman
AI illustration for Deadline Detroit
CEO Mary Barra fashions GM as a Silicon-Valley-grade technology company, vowing that software will generate as much as $25 billion in ancillary revenues by the end of the decade. In the meantime, GM’s technology folks reportedly cost its finance arm an untold loss in loan payments.
Resell Calendar, a newsletter beloved by e-commerce hustlers who routinely spot the promotional vulnerabilities corporations miss, reported one doozey of a GM screwup that allowed the “technology” company’s customers to exploit GM’s rewards program, rack up free points, and use them to reduce their car loan payments.
Most embarrassing of all: the savvy customers accumulated their points without even spending a pretty penny.
One unconfirmed but plausible viral report claimed a GM customer wiped out a $59,370 Escalade V loan using points they never paid for.
Resell Calendar summed things up succinctly: “GM fumbled hard on this one.”
GM eventually figured out it was being royally ripped off and patched the vulnerability but only after the loophole had become one of the worst-kept secrets among reseller communities.
Resell Calendar didn’t say how long GM’s promotion loophole lasted. A company spokesman didn’t respond to a request for comment from Deadline Detroit sent late Thanksgiving evening.
While the losses were likely trivial for GM’s finance arm with more than $140 billion in assets, the debacle should alarm the regulators supposedly overseeing the lending business. GM lists its rewards program under Ralph Darmo, whose LinkedIn profile shows he’s based in suburban Philadelphia — another reminder of how nationally scattered GM’s operations are for a company that claims four floors in downtown Detroit’s Hudson’s Tower will serve as its headquarters.
Achilles Heel
As Resell Calendar explained, GM runs a loyalty program similar to credit-card rewards, where points accumulate through vehicle purchases, service visits, and promotional activities. Points are valued at roughly $1 per 100 points, and users with loans through GM Financial can apply points directly toward their payments. That last feature turned out to be the program’s Achilles’ heel.
The rewards platform included a grab-bag of promotional actions that showered users with points. These weren’t referrals or purchases. They were menial engagement tasks — watch a video, click a link, answer a survey, “learn” about a GM feature. None of it required genuine engagement.
Within minutes, anyone with a mouse, a pulse, and a tolerance for repetition could rack up hundreds of points pretending to engage with GM content.
According to Resell Calendar’s breakdown, users quickly realized they could create multiple accounts, run the same promotional tasks over and over, and consolidate the points into a main GM Rewards account without tripping so much as a warning alert.
Word spread across social media and reseller forums, and people recruited family and friends who had no intention of using their GM rewards. Points piled up fast.
Rewards “From Thin Air”
Resell Calendar reported widespread claims of users making substantial vehicle payments with these consolidated points — points they never earned through GM loyalty, but through mass account creation and mechanical repetition. The publication noted that GM had effectively enabled people to generate financial value “from thin air,” simply because it built a system with no meaningful restrictions.
GM executives behind the promotion were either the trusting sort or incredibly incompetent, because they made it idiot simple for users to repeat point-generating tasks endlessly. No CAPTCHA. No throttling. No behavioral checks. No fraud controls. Not even the rudimentary safeguards you’d expect from a company whose CEO claims she’s hired Silicon Valley’s best and the brightest.
Most loyalty programs prevent exactly this kind of abuse with transfer limits, account verification, or friction around how quickly points can move between accounts. Resell Calendar observed that GM had either failed to include such safeguards or built protections so weak they were functionally meaningless. GM appeared to assume that people wouldn’t coordinate mass account creation or point farming, a remarkably bad calculation.
When corporations are unknowingly handing out free money, people will find the angle in record time.
Digital ATM
If GM’s IT department can’t design a basic rewards platform without turning it into a digital free-money ATM for hustlers, one shudders to imagine the quality assurance behind its more complex systems such as the ones that manage braking, steering, or battery safety.
Even more alarming: GM apparently didn’t discover the promotional loophole through its own monitoring, but only after news of the exploit had been widely circulated on social media. Resell Calendar speculated GM’s wake-up moment was possibly when someone posted online they had consolidated 5,937,000 points to pay off their $59,370 2024 Cadillac Escalade V loan.
The publication noted that the fact such a payoff was even conceivable showed how wide open the loophole was.
Barra Overseeing Cybersecurity
One wonders how robust GM’s cybersecurity defenses are given that function now personally reports to Barra. As part of what GM spun as a “restructuring,” the company recently lost three of its top Silicon Valley software executives within a matter of weeks, including its ballyhooed AI chief.
As a result, cybersecurity, IT and data engineering — temporarily reports to CEO Mary Barra, the Detroit Free Press reported. Barra joined GM in 1980 – nearly three decades before Apple launched the iPhone.
The Detroit News recently reported that GM poached Ed Nightingale from Microsoft to oversee its digital products and infrastructure from Seattle, where he’s looking for space to accommodate about 100 developers. Nightingale previously worked at Apple as the engineering director for Apple Cloud infrastructure.
As for the Escalade V customer who supposedly paid off his $59,370 loan with free GM points — Barra may still have the last laugh. The Escalade V’s supercharged V8 belongs to the same finicky engine family that has prompted more than a few Cadillac and GMC owners to complain about oil-consumption issues, oil-pressure problems, and astronomical repair bills.
As the saying goes, karma is a bitch.
Starkman can be reached at eric@starkmanapproved.com Anonymity assured and protected.
