Normal Behaviour?
RE: "Let’s be clear: this is not hacking, this is routine activity that looks like normal behaviour."
If downloading 53 or 56 million accounts is "normal behaviour" on your network you should fire your security staff and start fresh. Access control is about classification, categorization, and rate of flow. Audit controls should be established that address all three. (1) Do I trust this user for this level of sensitivity, (2) Does the category of data being accessed relate to the role held by this user, (3) Is the volume of data being requested consistent with the roles and responsibilities held by this user.
If you are exceeding authority in any of those categories via cyber means, you are not performing "normal behaviour" - you are hacking!
Gary Warner - UAB Computer Forensics