No. It's about time we stop letting the financial industry get away with incompetence. Every other software vendor would be raked over coals for not having a publicly available security disclosure email address and utterly failing to properly route a request via Twitter.
Responsible disclosure exists so that vendors have an incentive to respond to vulnerability reports in a timely manner. In fact, it is the responsible thing to publicly disclose vulnerabilities so that AmEx learns to implement a proper security reporting process.
No. I agree with almost everything you wrote, but this sort of disclosure doesn't punish the company, it punishes its _users_, and doesn't give them an easy way to make the causal connection. Unless this story is picked up by the mainstream media, how are any victims of this exploit to know that it happened because AmEx is incompetent, instead of e.g. because credit cards are risky?
Responsible disclosure exists so that vendors have an incentive to respond to vulnerability reports in a timely manner. In fact, it is the responsible thing to publicly disclose vulnerabilities so that AmEx learns to implement a proper security reporting process.