First, upload approval is definitely a good thing.
The person who did this to your client probably did not use CPG's batch upload options (I'll have to run an experiment to see how CPG XP publisher behaves when anonymous uploads are allowed, though), and most likely wrote a custom script to do this. (Also, check your version. If you are running 1.0 and have not applied the security patch, then they could have easily done much worse.)
Next, look at all the pictures they uploaded and see what the IP address is for most of them. Do a DNS lookup to see who owns those IP addresses. If it is traceable to a single entity (most likely) then ban the IP address or block of IP adresses. Then contact the owner if it is a web hosting company, and tell the IP addresses and times of upload. They can ban the person for engaging in abusive activities. Keep in mind that an IP address can be spoofed, so this may not lead you to the culprit. Your server logs will be more reliable than CPG in this regard.
You should probably consider adding a .htaccess file that only allows external access to the index page (preventing a person from running the script on their server - everyone would have to arrive at a form from another page in the site), and you should set a reasonable limit for anonymous uploads. What is your current limit?
Whatever you can tell about the timeframe of the attacks, etc. will make it easier to determine how the attack was carried out.