I assume that there is an authentication mechanism not visible in the example URLs you have shown us, and that the traffic is protected by SSL.
The only time someone can see the request but not the response is in the server logs - do you really store these differently from how you manage your application data?
If you do manage access to your logs, since the response is going to include the customer details, trying to restrict or hide information in the request does not serve any useful purpose. OTOH logs are stored at both ends of the interaction; are your users better served by hiding data? This depends on the service you are offering, your user base and the nature of the devices being used. But in most of the scenarios I can imagine, for someone wanting to observe this information, the interesting bits can be seen in other places than the query in the URL.
A further consideration if the specificity and cost of the processing. What happens if you have more than one record with the same fname and lname? If the cost of resolving one form of query is particularly high, then it may be avenue for a DOS attack.