If you did not authorize the transaction, there are two likely scenarios, since each transaction must be signed using the private keys to the respective address.
- Someone used your physical Trezor device to confirm the transaction,
or
- Your private keys (derived from your recovery seed) were compromised and the attacker used them to sign the transaction. If your seed words are revealed, anyone can clone your wallet, including your private keys.
To investigate further, please contact our customer support: customer support contact form.