If he has ever used his cc or bank card at say.....a fast food joint, restraunt, to order pizza over the phone, then someone could have stolen his info. If someone stole mail out of his mail box or garbage, someone could have stolen his info. If he called customer service with other people in the room and had to give info to verify his id or made a purchase over the phone....someone could have stolen his info. If he left a receipt on the table or dropped it in the store and the company in question does not use one of the newer systems that x's out the cc#, then someone could have stolen his info.

Credit card information is incredibly easy to steal, and usually poorly verified at physical and online establishments. While some companies are starting to require things like the cvv2 info and doing real time auth, many are still poorly set up and ill equiped to do fraud prevention.

You might also check the brother. Kids steal their siblings/parents cards all the time and use them. Or, he may have autocomplete turned on for his web browser which can be used to get the info (by haxors and family members alike).

It is possible that he has some bit of malware that stole his info, it is more likely they stole it via more conventional means.