This is an odd one. If the card was never used and card information never listed as payment source elsewhere, then as noted it would have to be the card issuer that was hacked. The info breached at the source some how, the issuer. Not that all hacking isn't, but that is serious.
Obviously the card issuer needs to be called, and in this case asked for an explanation of how it could have occurred. Given the information provided, I'd likely cancel the card completely and separate any ties with them. Find a new CC issuer. Credit rating might take a small hit with the cancel, but worth it imo.