Well, in the last one year, all the trips have been US/EU only. so nowhere I can put a finger on. it has to be some internet vendor getting compromised and keeping those card numbers unencrypted
In an interest to prevent such issues happening again, I would review which particular places you used it physically, where you allowed the card to be removed from where you could view it being swiped...