(CNN) -- The NSA broke privacy rules "thousands of times each year" since 2008, The Washington Post reported Thursday, citing an internal audit and other documents.
Material was provided to the newspaper this summer by National Security Agency leaker Edward Snowden.
The audit found 2,776 incidents of "unauthorized collection, storage, access to or distribution of legally protected communications," the Post reported in its story.
"Most were unintended. Many involved failures of due diligence or violations of standard operating procedure. The most serious incidents included a violation of a court order and unauthorized use of data about more than 3,000 Americans and green-card holders," it said.
The paper said most incidents involved unauthorized surveillance of Americans or foreign intelligence targets in the country.
The audit was dated May 2012 and looked at the prior 12 months.
The NSA responded to the Post's story, saying "a variety of factors can cause the numbers of incidents to trend up or down from one quarter to the next."
Factors can include implementation of new procedures, technology or software changes and expanded access.
"The one constant across all of the quarters is a persistent, dedicated effort to identify incidents or risks of incidents at the earliest possible moment, implement mitigation measures wherever possible, and drive the numbers down," the agency said.
The agency released a statement Thursday night defending its programs.
"NSA's foreign intelligence collection activities are continually audited and overseen internally and externally," it said. "When NSA makes a mistake in carrying out its foreign intelligence mission, the agency reports the issue internally and to federal overseers -- and aggressively gets to the bottom of it."
Snowden stepped forward publicly in June to claim responsibility for leaking to the media that the NSA had secretly collected and stored millions of phone records from accounts in the United States. The agency also collected information from U.S. companies on the Internet activity of overseas residents, he said.
He fled first to Hong Kong and then to Russia before Moscow granted him temporary asylum despite pressure from the Obama administration to return him to the United States to face charges.
He has been charged with three felony counts, including violations of the U.S. Espionage Act, for the leaks.