Well, I don't think you will find the answer satisfactory.
First, the application log will be of no value in determining "if [the malicious people] retrieved any data from [you]". Indeed, no CF log will tell you that.
The application.log file holds in it either logging written by your application to it (such as with cflog) or errors which happened in your CFML pages. (And even then, if your errors were "handled" by your application, then such errors will NOT be written to that log file by default. Your error handling code will decide then how to handle the error, such as whether to send the error to someone via email, store it in a db, log it, etc.)
To be clear, no CF log tracks all requests that were made. While your web server access logs will tell you that, it still may not help for two reasons: a) if the request was a post, those logs won't track what form fields/post parameters were used, and b) regardless, the access logs don't track what the requests got in reply.
This is just a sad reality with pretty much any web application framework (not just CF): there's no built-in auditing of "all that was processed".
Then again, usually what matters is not really "what web pages they accessed" but "what data those pages presented". And normally that important data would come from a database or perhaps an API call you'd make (from CF, to get the data). And an argument could be made that the auditing of "what was requested" and/or "what was returned" is something that should be sought in that database server (or API server), rather than being CF's (or any web app server's) responsibility.
Again, not likely the answer you wanted to hear. And I realize it's about a year late anyway, but I wanted to offer it as I came across it. Hope it may help someone.