Yesterday I got an e-mail from Wells Fargo telling me that they are sending me a new debit card because some one stole data. I called and they said it was not them that got compromised but rather a place I used my card. Pretty sure it would not be a mom and pop show so that only leaves a few places like CVS or Wal Mart. The bank won't tell me who because it is an ongoing investigation.
Surprised this is the first time you received this type of notification. You must shop/e-tail at some really secure vendors. I remember one stint where my bank reissued my card three times in a 6 month period; all for the same reason.
I did have an instance a few years ago where a charge for a motel showed up on my statement from Louisiana. I have never been there so they credited me back and issued a new card again. I just don't think hackers would go after a small company. They could go after say MGM liquor store though I suppose.