While I don't have eyes on your particular cPanel and configuration...
With cPanel access, it's likely that your developer has access to your database and file system through modules like "File Manager" and "phpMyAdmin".
https://documentation.cpanel.net/display/68Docs/cPanel+Features+List
The database is where customer and other sensitive data is stored. Additionally, files can be adjusted or malicious purposes through File Manager. With database access, it can even be possible to gain full admin access to the Magento admin panel.
SSH is likely to give even more access, which you should be careful about, but it is the preferred way to push changes to the site. However, it sounds like the cat is already out of the bag.
You should only be using developers that you trust and that you have a reasonable contract with.
Additionally, you should not be storing any credit card data within your site. It should be transmitted directly to a secure payment gateway like PayPal, Authorize.net, Amazon Payments, etc. That's not to say that with this kind of access that a developer couldn't subvert that and put up their own checkout form to steal credit card data, but regardless, there shouldn't be stored credit card data sitting around to be stolen. Please be sure to be PCI Compliant.
Lastly, if your site was 3 years behind in security patches, there's a chance that your site was already compromised in some way. While patching is important, it's recommended to run some security scans as well to make sure that you're in good shape. Hackers scan the web looking for vulnerable sites to abuse, so even if you think you're a low-priority target, it's best to verify. Adding the missing security patches is extremely important, but those patches won't necessarily overwrite existing injections into the site.
It sounds like you're heading on the right path by starting to prioritize security. Sorry if this isn't what you were hoping to hear, but I wish you the best of luck with your site and do hope that this information is helpful!
