What you've described is an Insecure Direct Object Reference:
Top 10 2013-A4-Insecure Direct Object References - OWASP[
^]
Using a sequential number to access data for different records makes it trivial for an attacker to guess the URL for other users' data.
You can make their life harder by adding a
GUID[
^] key to the record, and only using that key to retrieve the data.
But the only
real solution is for your code to validate that the user making the request has permission to access the data being requested. How you do that will depend on your database structure and authentication mechanism.