Whenever you are thinking about the possibility of legal action, the first thing to do is to take a copy of the whole machine. Preferably in front of independent witnesses - but that is verging on the legal stuff and I am in no way in a position to give legal advice even if this site allowed it. Get proper legal advice before doing anything.
Once you have a secured copy for evidence, you can get on and fix things. Clearly, in this case you've realised a number of coding/security errors so you should go get those fixed - on a server that isn't connected to the Internet.
You've learned a valuable lesson and with little cost it seems to me. Hopefully next time, you will be a little better at testing your code for vulnerabilities before putting it on the Internet.
As for whether there are actions you can take against the person you've found? Apart from maybe thanking them for helping you improve as a programmer ;-) All I will say is that revenge is never a good idea.
Legally, it is likely that you have little to go on anyway - did you have clear terms and conditions in place that would discourage someone from making use of vulnerabilities? Was what they did even illegal in their region? Just be thankful and move on.