Might not be a website - my wife's and my debit cards were compromised last year within two weeks of one another. The only thing they had in common was that they're at the same bank; she has never even once used her card online.
Our conclusion was that Chase Manhattan had been compromised. That's kind of scary, really. They have to be spending serious money on security.
To clarify, by "they have to", are you stating a fact or making a demand? One would have thought that Citigroup would have had some pretty tight security as well.
I think I'm accentuating an assumption - and when I saw the Citigroup story, I had precisely the reaction you just expressed here.
And yet you know that Chase and Citigroup are spending money on security in copious amounts. My heart breaks to think of all those guys getting paid not to know jack. (Or, just as probably, all those guys getting paid not to be able to shove jack through the corporate process.)
It could have been coincidence and an offline compromise for your wife. There are a lot of skimming operations out there. Plus when you give your card to a waiter at a restaurant, nothing stops the waiter from copying your information.
In my case the fact that the purchase was made from Turkey suggests that it was an online compromise.
Our conclusion was that Chase Manhattan had been compromised. That's kind of scary, really. They have to be spending serious money on security.