I apologise in advance for a lack luster comment, but seeing incompetence on so many levels like this on a monthly basis from financial institutions makes me want to be sick.
This is like putting a sign out the front of your house saying please do not enter though the back window, it's open.
I look at this as a good thing. I know that if I am ever injured in such a way as to receive severe brain damage, I'll still be able to get a high-paying programming job.
Then there is more behind as we think. Actually we can be pretty sure someone on the web team will have pointed out that this is not good and insecure.
After seeing this i kind of get the idea why this url is in the wild.
Yikes, I wonder if that's how it was discovered in the first place. I'm no pen tester, but that's probably the first thing I would check on a target website.
If anyone happens to lose money through this vulnerability I think that provides enough evidence to make AMEX knowingly culpable.
Without that, this is just run-of-the-mill incompetence. But the Disallow: /us/admin/ indicates that they knew that URL was wide open, and failed to act.
https://www.americanexpress.com/robots.txt
User-agent: * Disallow: /us/admin/ Disallow: /us/heroes/ Allow: