>> The response contained the victim's name, phone number, address, and car details

I've seen this in a few other APIs.

Although the frontend was not using or displaying it, the backend was still sending a lot of personal information in REST responses by default. :/