To the best ability that we can, I think we've confirmed that the 1MbDKqngwKQ49TowToHGc9nZBRt99CqK8t is not a change address.

There is a transaction in the blockchain that sends to both 1Cy21mnkUMvZdJW4rDe7Z5ey9sbcZhzzfL and 1MbDKqngwKQ49TowToHGc9nZBRt99CqK8t.

Therefore, it looks like 1Cy21mnkUMvZdJW4rDe7Z5ey9sbcZhzzfL is the change address (since it returns "ismine" : true) and 1MbDKqngwKQ49TowToHGc9nZBRt99CqK8t is the address that was actually sent to.

Since both addresses received in the same transaction, and 1Cy21mnkUMvZdJW4rDe7Z5ey9sbcZhzzfL is in the wallet.dat, it looks like you have the correct wallet.dat.  I don't think you are going to find 1MbDKqngwKQ49TowToHGc9nZBRt99CqK8t in any backups.

At this point, unless any other evidence turns up, I don't think you'll be able to recover these bitcoins.

As for how it happened, I really don't know.  It seems pretty certain that a thief managed to get access to your unencrypted wallet.dat from somewhere.  A keylogger installed on your computer would be the first guess.  A trojan that waits for you to type your password and then steals the unencrypted content would be another possibility.  Have you imported the wallet.dat file (or private keys) into any other wallets?