I've just spent the last 45 minutes transferring all my auto-pay accounts to a new credit card after my bank notified me that someone in Berlin tried to use my old card to buy something on a French website. Since this happened just a couple of days after T-Mobile once again lost control of millions of customer records, I assume that's how my card number wound up with a European criminal.
Or maybe it came from one of the companies whose accounts I just had to update? According to C-Net, "T-Mobile says there's no indication any consumer financial data, such as credit card or other payment information, was compromised." Uh huh.
Until companies have to endure real consequences for their own crappy security, this will continue to happen.