I don't even understand how that's legal.
It's because of the merchant agreement. Sometimes when you put your card on a webpage for reuse instead of it being treated as a series of one-time only purchases, it gets used and coded as "recurring." That gives the merchant the capability to do things that a store can't do like get your new expiration date or even your new card number if you'd reported the previous one lost or stolen.
Anyway, for purposes of Reg. E and MasterCard Zero fraud loss, "unauthorized" is "unauthorized." Suntrust HAS to investigate. That means they contact Western Union, and while you had zero luck with Western Union, Suntrust is in much better position to get the information to determine that just maybe you didn't do the transaction or benefited.
I'll caution you though. I hope you have a back up bank. Sometimes a bank HAS to give you your money back, but that doesn't mean they have to keep you as a customer because they just see you as a careless person and a risk. For customers that have debit card claims sometimes the bank doesn't reissue a new debit card which kind of makes keeping the account worthless so you leave, or the bank just closes your account.
The lesson is don't store your card number on the wrong kind of websites. It's probably ok to do it for a utility or your insurance because if someone sends money to them, you can probably get it back or at least have a credit on your account. However, with PayPal, Wal-Mart, or Western Union where money or merchandise can be sent to anyone that you might not be able to get back, it's a risk that's probably not worth the convenience.