I would complain to AMEX as even if it is not illegal it is certainly unprofessional. Any company, especially those associated with financial services, has a moral duty of care to look after your data in a secure manner.

I had a similar experience with another household name organisation about 6 months ago - they dealt with it in a very good way by promptly following up the mistake with an apology (on an email using BCC) from the CEO.