It added that the personal data held on its email servers was "unlikely to present a high risk to individuals," although information included in the body of an email or in an attachment could be vulnerable.
The personal data held on the registers - name and address - did not itself present a "high risk" to individuals, it added, although it is possible it could be combined with other public information to "identify and profile individuals".
It has not said when exactly the hackers' access to its systems was stopped, but said they were secured as soon as possible after the attack was identified in October 2022.
Explaining why it had not made the attack public before now, the commission said it first needed to stop the hackers' access, examine the extent of the incident and put additional security measures in place.
Defending the delay, commission chair John Pullinger said: "If you go public on a vulnerability before you have sealed it off, then you are risking more vulnerabilities."
He said the "very sophisticated" attack involved using "software to try and get in and evade our systems".
He added that the hackers were not able to alter or delete any information on the electoral registers themselves, which are maintained by registration officers around the country.
Information about donations and loans to political parties and registered campaigners is held in a system that is not affected by this incident, the notice added.
Mr McNally said he understood public concern, and would like to apologise to those affected.
The commission added that it had taken steps to secure its systems against future attacks, including by updating its login requirements, alert system and firewall policies.
The Information Commissioner's Office, which is responsible for data protection in the UK, said it was urgently investigating.
On paper, this is about as serious as it gets.
Hackers interfering in elections is one of the biggest fears of the democratic world.
Luckily, the commission says in this case the cyber intruders did not have an impact on any elections, or anyone's registration status.
But make no mistake - this is still a serious breach and the nature of the attack is telling.
For supporters of the UK's manual voting system, the attack will bolster the case against using e-voting in future.
"Pen and paper can't be hacked" is often what supporters say when debates about modernisation come about.
The fact the hackers were inside the Electoral Commission systems from August 2021 indicates this was not a criminal hacking operation looking to make a quick buck through extortion.
This was a patient and skilled adversary to have been inside undetected for so long.
This operation looks like a probing one seeking out information about the UK's democratic process to search for weaknesses.
The Electoral Commission isn't saying who it was (if they know).