Either at least one of your devices was compromised or else a company (or any other third party) leaked your data most likely because of an attack. That what you describe is typical for a carding attack, somebody has your debit card data as well as ohter personal information like address, phone, email etc. but I dont think that the attacker has other data which are necessary to effectivly use the card, like your IP address, useragents, session cookies etc. otherwise he would sim swap your number. If so the consequences would have been far beyond receiving a sms with otp :)

Ofc check all your devices and anaylse your opsec. but imo it's enough to block the card and get a new one. you can change your phonenumber and email adress as well but that depens on your specific cost-benefit ratio.