Especially since this request was done by snail mail, so the passport was probably a black-and-white photocopy. All the attacker needs to alter is the name, which seems pretty trivial.